An active Magecart scheme has ties to Dridex phishing campaigns and the Carbanak group, indicating that skimmer scripts may be a prelude to more traditional malware use, researchers say.
On Tuesday, cybersecurity researchers from Malwarebytes said one of the Magecart groups that are currently active, assigned the name Magecart Group 5, appears to have connections to the Carbanak Advanced Persistence Threat (APT) gang.
See also: Old Magecart web domains resurrected for fraudulent ad schemes
British Airways, Ticketmaster, Newegg, and thousands of other retailers have fallen prey to this tactic, usually made successful through Content Management System (CMS) vulnerabilities and misconfigured cloud services.
Now, however, the term Magecart is employed to describe groups of threat actors that employ card skimmers online, as well as the tactic itself.
Magecart Group 5 has a "very different modus operandi" to others in the space, Malwarebytes says, as it tends to hone in on weaknesses in the supply chain and low-hanging fruit rather than directly assault its true targets.
If third-party suppliers can be compromised by infiltrating their networks and tampering with libraries or 'security seals' -- trust indicators that an online store is safe -- the group can potentially attack thousands of domains down the line at once.
According to researchers Jérôme Segura, William Tsing and Adam Thomas, Magecart Group 5 is likely linked to Dridex, a banking Trojan that first made the rounds in 2014 and has been actively employed in the theft of online banking credentials ever since.
The malware is generally spread through phishing schemes employing fake invoice notices.
Utilizing data from WHOIS records predating the EU's General Data Protection Regulation (GDPR), Malwarebytes uncovered registrant data from a 'bulletproof' registrar in China called BIZCN/CNOBIN.
While the group did register domains used in their card skimming campaigns under privacy protection services, Magecart Group 5 did not apply for this protection under all records, revealing a set of malicious domains registered by the same firstname.lastname@example.org email address used in both Magecart skimming and Dridex attacks.
CNET: Huawei exec acknowledges it's struggling without Google support
Some of the domains owned by the threat actor have been used in corporate e-fax phishing email campaigns targeting Germans, while others are OnePosting and Xero phishing scams -- both of which attempt to deploy the malware on the devices of those who fall for fraudulent messages.
The registered phone number, too, may provide a further connection to other campaigns. +86. 1066569215, as examined by cybersecurity expert Brian Krebs, may have links to both Carbanak campaigns and a Russian 'cybersecurity' company.
TechRepublic: Hyperautomation, human augmentation and distributed cloud among top 10 technology trends for 2020
Previously, Malwarebytes examined Magecart Group 5 and its potential ties to Cobalt, a pernicious hacking group believed to be responsible for the theft of millions of dollars from financial institutions worldwide.
IBM has also identified Magecart Group 6 as FIN6, a threat group associated with attacks against point-of-sale (PoS) systems across Europe, as well as the deployment of various strains of malware.
These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0