The unexpected twist of a
JS-sniffer triple threat
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors
In this report
For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers, improved their infrastructure, created monetization instruments, and modified malicious code.
The group’s arsenal includes both standalone attacks and attacks on third-party suppliers. UltraRank has also hijacked tools created by its competitors and confronted hackers who imitated a cardshop associated with the group.
Given that investigators have attributed many of UltraRank’s attacks to other threat actors, the group has managed to stay unnoticed for the most part.
At the moment the group remains active, with their latest infections being detected in June 2020.
13 third-party suppliers
for websites were attacked by UltraRank. Total number of infected sites may reach 100K
is the daily estimated income of a cardshop connected with the group’s infrastructure
led by UltraRank were previously attributed to other groups by researchers
During its activity, UltraRank has built an autonomous business model with a unique technical and organizational structure, as well as its own sales and monetization system for stolen bank card data.
The group is not an ordinary player in this criminal market, which is also proven by their methods of competitive struggle: Group-IB experts recorded UltraRank’s attacks on competing groups, as well as on phishing pages imitating cardshop associated with cybercriminals.
Download to learn:
Evolution of UltraRank’s TTPs, differences between campaigns, major changes to JS sniffers
UltraRank’s standalone and supply chain attacks, and its confrontations with competitors
Understanding the threat and following a set of rules can secure your business from similar attacks
Download report: "UltraRank: The unexpected twist of a JS-sniffer triple threat"
How Group-IB can protect your website from JS-Sniffers
The use of certain products and services could help minimize risks and implement adequate and timely measures if an infection occurs:
Website Security Assessment
Look for any indicators that a website has already been compromised by JS-Sniffers or that there have been compromise attempts. Identify backdoors that attackers use (as in the case of UltraRank) to return the deleted code to the site.Learn more