"We assume that the gang will continue the infections as part of this campaign, as their operations in the past followed the same pattern of infections distributed over time," says Viktor Okorokov, threat intelligence and attribution analyst at Group-IB.
Over the last five years, UltraRank has targeted more than 700 e-commerce sites as well as 13 third-party suppliers in North America Europe, Asia and Latin America, Okorokov says.
In September, researchers at Group-IB discovered that the group had created its own carding shop called ValidCC that sells the stolen payment card data directly to other fraudsters (see: 'UltraRank' Gang Sells Card Data It Steals).
Group-IB notes the latest campaign apparently began with the UltraRank hackers using compromised content management system credentials to get access to the back-end infrastructure of e-commerce site’s checkout functions.
The hacking group stores the SnifLite skimmer on a website that mimics a legitimate Google Tag Manager domain to better hide the attack from security tools.
UltraRank, which has been using the SnifLite skimmer since 2019, previously deployed it to target a French advertising network called Adverline.
The SnifLite skimmer stores stolen payment card data in a local file called "google.verify.cache.001." In the final stage of the attack, the exfiltrated data is extracted from this local file and sent back to the UltraRank group, the Group-IB report notes.
UltraRank's malicious code has been found on many other e-commerce sites, including one for the postponed 2020 Tokyo Olympics, according to the report.