Cyber Threat Actor: Fullz House
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
2 incidents |
|---|
Profile
Fullz House is a threat actor known by that alias and has been linked to operations originating from Russia. The group primarily targets online retail environments and telecommunications providers that operate e‑commerce platforms. Their observed goal is financial gain through the theft of payment card and personal data. They have not been associated with espionage or disruption objectives in the publicly available reporting.
Fullz House employs web skimming techniques, injecting malicious JavaScript into compromised sites to capture payment information. The injected script is often disguised as a legitimate Google Analytics library and loaded from an external domain such as paypal-debit[.]com/cdn/ga.js. It monitors input fields for changes and exfiltrates the harvested data via Base64‑encoded GET requests. In addition to skimming, the group uses a phishing component that redirects victims to counterfeit payment pages mimicking legitimate financial institutions before returning them to the real checkout flow. Their tooling includes custom‑built skimmers that operate like noisy keyloggers, continually checking form fields rather than waiting for order submission.
Public sources indicate the actor’s operational base is in Russia, but no direct ties to a state sponsor have been established. There is no evidence linking Fullz House to a larger criminal consortium or affiliate network. Attribution remains limited to geographic inference from the available reporting.
Two representative campaigns illustrate the group’s methodology: in October 2020 they compromised the Boom! Mobile virtual network operator’s website, inserting a credit‑card skimmer that remained active at the time of discovery; and in December 2019 they breached Rooster Teeth Productions’ online store, using geographically tailored phishing domains to redirect shoppers to fraudulent payment pages during checkout. Both incidents involved the injection of malicious code that combined data skimming with deceptive redirection to harvest payment details. The Boom! Mobile intrusion was facilitated by the site’s reliance on an unsupported PHP version, whereas the Rooster Teeth breach did not disclose the initial access vector. These cases show the actor’s repeated use of hybrid skimming‑phishing tactics against consumer‑facing web services.
