Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Historical Breadcrumbs Link Magecart 5 to Carbanak Group

Magecart is the umbrella term for a range of criminal groups that use software to perform digital credit card skimming. It isn’t clear how many different Magecart groups are currently operating. There are some suggestions that there are dozens, but with counter-suggestions that some of these may be individual operators rather than groups.

Magecart is the umbrella term for a range of criminal groups that use software to perform digital credit card skimming. It isn’t clear how many different Magecart groups are currently operating. There are some suggestions that there are dozens, but with counter-suggestions that some of these may be individual operators rather than groups.

Magecart 5 is recognized as an advanced actor. “With some exceptions such as the Ticketmaster breach,” writes Malwarebytes in a new report, “Group 5 has a very different modus operandi in that it targets the supply-chain used by e-commerce merchants to load various libraries, analytics or security seals. Attacks consist of compromising a third-party supplier and therefore affecting hundreds or even thousands of websites downstream.”

In early October 2019, Malwarebytes suggested that the group known as Magecart 4 is really the Cobalt Group. This followed an earlier attribution of Magecart 6 to the FIN6 group by IBM. Now Malwarebytes has found sufficient evidence to suggest that Magecart 5 is really the APT group known as the Carbanak Group.

Malwarebytes researchers looked at eight TLDs using the name Informaer and associated with Magecart 5 by RiskIQ. These had been registered with the Chinese registrar BIZCN/CNOBIN using the privacy protection services. However, Malwarebytes discovered a ninth Informaer domain that had been missed, and — more importantly — did not include privacy protection: informaer.info.

This domain was registered at the same time as the other Informaer domains, and therefore almost certainly for the same purpose: Magecart 5 operations. “All nine informaer domains,” Jerome Segura, Malwarebytes’ director of threat intelligence, told SecurityWeek, “were registered within a few seconds of each other. This indicates that the same person purchased all the domains at the same time.” If it had been a few months earlier or later, you could not draw the same conclusion. “I think it was just a mistake or an oversight by the registrant not to apply the privacy services,” continued Segura.

Now, since the privacy services had not been activated, the researchers had two other important clues: an email address (guotang323[at]yahoo.com) and a telephone number (+86.1066569215). From the email address, they discovered other domains registered by the same person, including several that connect to Dridex phishing campaigns (corporatefaxsolutions[.]com, onenewpost[.]com, and xeronet[.]org) from the same timeframe.

In 2017, a Swiss CERT report described a Dridex phishing campaign used to deliver Carbanak malware. Furthermore, say the researchers, “A diagram from Swiss CERT also shows how the Dridex loader does some victim triaging to either deliver Dridex proper (for consumers or low interest targets) or Carbanak for companies and high value targets.” Again, this is from the same timeframe.

So far, the researchers had connected Magecart 5 to separate Dridex phishing campaigns, with a tenuous link to Carbanak, all via the informaer.info registrant’s email. This is interesting, but still somewhat circumstantial. However, looking at the informaer.info registrant’s phone number, they found another link. In 2016 (again, note the timeframe), Brian Krebs posted a report linking Carbanak to the Russian security firm Infocube.

Advertisement. Scroll to continue reading.

In this report Krebs mentions three domains that had previously been tied to Carbanak by multiple researchers: ‘weekend-service[dot]comCHV’, ‘coral-trevel[dot]com’ and ‘freemsk-dns[dot]com’. “Historic registration or ‘WHOIS’ records maintained by Domaintools.com,” he wrote, “for all three domains contain the same phone and fax numbers for what appears to be a Xicheng Co. in China — 1066569215 and 1066549216, each preceded by either a +86 (China’s country code) or +01 (USA).”

This same phone number provides a direct link between Magecart 5 and Carbanak. It appears as if the same person who registered the known Magecart 5 domains had earlier registered known Carbanak hub domains. “All of the information from the informaer.info registration could be faked to confuse researchers,” admitted Segura. “But all of this happened in 2016, at a time when Magecart attribution was not being researched. It seems very unlikely that the group behind Magecart 5 would go to this trouble to fool the hunters when they were not being hunted.”

It is not absolute proof — attribution is rarely based on absolute proof — but Malwarebytes believes it has found enough evidence to suggest that Magecart 5 and the Carbanak Group are one and the same.

Related: Magecart Hackers Target L7 Routers 

Related: New Magecart Group Targets French Ad Agency 

Related: Card Data-Scraping Magecart Code Found on Newegg 

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.