Cyber Incident Victim: Boom! Mobile
Date:
Oct 2020
Location:
United States of America
Summary
A US mobile virtual network operator experienced a MageCart attack where the Fullz House group injected a credit card skimmer into its e-commerce platform, harvesting payment data via a malicious script disguised as Google Analytics. The attackers collected card details in real-time by monitoring input field changes and exfiltrated information through encoded requests, while also redirecting victims to fraudulent payment pages before returning them to legitimate checkout processes. The compromise persisted unremediated at the time of discovery, exposing ongoing customer transactions to data theft through both direct skimming and phishing techniques.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 5, 2020, the US mobile virtual network operator Boom! Mobile suffered a compromise attributed to the hacker group Fullz House. The attackers injected a credit card skimming script into the company’s e-commerce platform, specifically targeting the shopping cart functionality. This MageCart-style attack involved embedding malicious JavaScript designed to harvest payment card information submitted by customers during transactions. The script, hosted on the domain paypal-debit[.]com/cdn/ga.js, was disguised as a Google Analytics library and loaded via a single line of code injected into the website. Malwarebytes’ Threat Intelligence Team confirmed the script remained active on Boom! Mobile’s site at the time of their investigation, indicating ongoing risk to customers. The compromised website ran PHP version 5.6.40, an unsupported software version since January 2019, though the exact infiltration method remained unconfirmed. The skimmer operated by continuously monitoring input fields for changes, collecting payment data in real-time and exfiltrating it via Base64-encoded GET requests. Malwarebytes reported the incident to Boom! Mobile through live chat and email but received no response prior to publication.
Fullz House employed a hybrid tactic combining skimming with phishing operations. The group developed its own skimming tools rather than relying on prebuilt scripts, distinguishing its approach from typical MageCart attacks. After harvesting data during checkout, the attackers redirected victims to counterfeit payment pages mimicking legitimate financial institutions before forwarding them to Boom! Mobile’s actual payment processor. This man-in-the-middle technique allowed simultaneous theft of credit card details and concealment of the compromise from customers. RiskIQ researchers previously identified Fullz House’s dual focus on skimming e-commerce platforms and phishing banking information. The skimmer’s design exhibited unusual aggressiveness, functioning as a persistent keylogger rather than capturing data only at purchase finalization. Boom! Mobile’s failure to remediate the compromise despite external notification left customer payment information exposed for an undetermined duration. The incident underscored risks associated with outdated software and delayed response protocols in e-commerce environments.