If you’re in the market for a new cell phone plan, it’s best to avoid turning to Boom! Mobile. That is, unless you don’t mind your sensitive payment card data being sent to criminals in an ongoing attack a few hours ago.
According to researchers from security firm Malwarebytes, Boom! The boom.us Mobile website has been infected with a malicious script that extracts payment card data and sends it to a server under the control of a criminal group investigators have named Fullz House. A malicious script is called by a single line that contains mostly nonsense characters when viewed with the human eye.
The name Fullz House is a nod to Fullz, which is slang for full or complete data from a credit or debit card. Typically, fullz includes the holder’s full name and billing address; card number, expiry date and security code; and usually a Social Security number and date of birth. Fullz sells for much more in the underground markets than partial information. Malwarebytes says it has saw Fullz House work before.
People considering buying a new phone plan should steer clear of Boom!, at least until the skimmer script is removed. Antivirus protection from Malwarebytes and some other providers will also provide a warning when users are visiting a site infected with one of these skimmers. Noise! Representatives did not respond to messages seeking comment for this post.
Update: In a statement that came out about 17 hours after this post went live, Boom! Mobile workers wrote:
BOOM MOBILE deeply regrets this incident. From the beginning, we were quick to clear the scene and conduct a thorough investigation. We have found that the malware is only on the shopping cart at boom.us and not on any of our other sites such as myaccount.boom.us which customers use to manage their billing. Customers who may have purchased from www.boom.us between 9/30/20 – 10/5/20 are advised to take special precautions with their credit card company. This event does not affect any active MOBILE accounts, saved payment or automatic payment details. The stored payment system / automatic system does not store any bank details and we ensure that it is safe. Processor credit cards provide us with a secure token than can only be used by noise! MOBILE from our secure server. We are committed to protecting your data & privacy. We are PCI compliant and do not store financial data on our servers. Our shopping cart provider has ensured that our site is safe and that malware has been removed.