An active Magecart scheme has ties to Dridex phishing campaigns and the Carbanak group, indicating that skimmer scripts may be a prelude to more traditional malware use, researchers say.
On Tuesday, cybersecurity researchers from Malwarebytes said one of the Magecart groups that are currently active, assigned the name Magecart Group 5, appears to have connections to the Carbanak Advanced Persistence Threat (APT) gang.
British Airways, Ticketmaster, Newegg, and thousands of other retailers have fallen prey to this tactic, usually made successful through Content Management System (CMS) vulnerabilities and misconfigured cloud services.
Now, however, the term Magecart is employed to describe groups of threat actors that employ card skimmers online, as well as the tactic itself.
Magecart Group 5 has a "very different modus operandi" to others in the space, Malwarebytes says, as it tends to hone in on weaknesses in the supply chain and low-hanging fruit rather than directly assault its true targets.
If third-party suppliers can be compromised by infiltrating their networks and tampering with libraries or 'security seals' -- trust indicators that an online store is safe -- the group can potentially attack thousands of domains down the line at once.
According to researchers Jérôme Segura, William Tsing and Adam Thomas, Magecart Group 5 is likely linked to Dridex, a banking Trojan that first made the rounds in 2014 and has been actively employed in the theft of online banking credentials ever since.
The malware is generally spread through phishing schemes employing fake invoice notices.
Utilizing data from WHOIS records predating the EU's General Data Protection Regulation (GDPR), Malwarebytes uncovered registrant data from a 'bulletproof' registrar in China called BIZCN/CNOBIN.
While the group did register domains used in their card skimming campaigns under privacy protection services, Magecart Group 5 did not apply for this protection under all records, revealing a set of malicious domains registered by the same firstname.lastname@example.org email address used in both Magecart skimming and Dridex attacks.
Some of the domains owned by the threat actor have been used in corporate e-fax phishing email campaigns targeting Germans, while others are OnePosting and Xero phishing scams -- both of which attempt to deploy the malware on the devices of those who fall for fraudulent messages.
The registered phone number, too, may provide a further connection to other campaigns. +86. 1066569215, as examined by cybersecurity expert Brian Krebs, may have links to both Carbanak campaigns and a Russian 'cybersecurity' company.
Previously, Malwarebytes examined Magecart Group 5 and its potential ties to Cobalt, a pernicious hacking group believed to be responsible for the theft of millions of dollars from financial institutions worldwide.
Previous and related coverage
- New Magecart attacks leverage misconfigured S3 buckets to infect over 17K sites
- Magecart strikes again: hotel booking websites come under fire
- Hackers looking into injecting card stealing code on routers, rather than websites
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0