Magecart group linked to Dridex banking Trojan, Carbanak

Domain tracking has led to connections between different cyberattack campaigns.
Written by Charlie Osborne, Contributing Writer

An active Magecart scheme has ties to Dridex phishing campaigns and the Carbanak group, indicating that skimmer scripts may be a prelude to more traditional malware use, researchers say. 

On Tuesday, cybersecurity researchers from Malwarebytes said one of the Magecart groups that are currently active, assigned the name Magecart Group 5, appears to have connections to the Carbanak Advanced Persistence Threat (APT) gang. 

When Magecart appeared on the scene several years ago, the name was attributed to a group that specialized in the use of card skimmer JavaScript. These scripts would be covertly loaded onto compromised e-commerce platforms and services and would harvest payment card details input by victims when attempting to make a purchase. 

See also: Old Magecart web domains resurrected for fraudulent ad schemes

British Airways, Ticketmaster, Newegg, and thousands of other retailers have fallen prey to this tactic, usually made successful through Content Management System (CMS) vulnerabilities and misconfigured cloud services

Now, however, the term Magecart is employed to describe groups of threat actors that employ card skimmers online, as well as the tactic itself. 

Magecart Group 5 has a "very different modus operandi" to others in the space, Malwarebytes says, as it tends to hone in on weaknesses in the supply chain and low-hanging fruit rather than directly assault its true targets. 

If third-party suppliers can be compromised by infiltrating their networks and tampering with libraries or 'security seals' -- trust indicators that an online store is safe -- the group can potentially attack thousands of domains down the line at once. 

According to researchers Jérôme Segura, William Tsing and Adam Thomas, Magecart Group 5 is likely linked to Dridex, a banking Trojan that first made the rounds in 2014 and has been actively employed in the theft of online banking credentials ever since.

The malware is generally spread through phishing schemes employing fake invoice notices.  

Utilizing data from WHOIS records predating the EU's General Data Protection Regulation (GDPR), Malwarebytes uncovered registrant data from a 'bulletproof' registrar in China called BIZCN/CNOBIN. 

While the group did register domains used in their card skimming campaigns under privacy protection services, Magecart Group 5 did not apply for this protection under all records, revealing a set of malicious domains registered by the same guotang323@yahoo.com email address used in both Magecart skimming and Dridex attacks. 

CNET: Huawei exec acknowledges it's struggling without Google support

Some of the domains owned by the threat actor have been used in corporate e-fax phishing email campaigns targeting Germans, while others are OnePosting and Xero phishing scams -- both of which attempt to deploy the malware on the devices of those who fall for fraudulent messages. 

The registered phone number, too, may provide a further connection to other campaigns. +86. 1066569215, as examined by cybersecurity expert Brian Krebs, may have links to both Carbanak campaigns and a Russian 'cybersecurity' company. 

TechRepublic: Hyperautomation, human augmentation and distributed cloud among top 10 technology trends for 2020

Previously, Malwarebytes examined Magecart Group 5 and its potential ties to Cobalt, a pernicious hacking group believed to be responsible for the theft of millions of dollars from financial institutions worldwide. 

IBM has also identified Magecart Group 6 as FIN6, a threat group associated with attacks against point-of-sale (PoS) systems across Europe, as well as the deployment of various strains of malware. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards