Magecart is the umbrella term for a range of criminal groups that use software to perform digital credit card skimming. It isn’t clear how many different Magecart groups are currently operating. There are some suggestions that there are dozens, but with counter-suggestions that some of these may be individual operators rather than groups.
Magecart 5 is recognized as an advanced actor. “With some exceptions such as the Ticketmaster breach,” writes Malwarebytes in a new report, “Group 5 has a very different modus operandi in that it targets the supply-chain used by e-commerce merchants to load various libraries, analytics or security seals. Attacks consist of compromising a third-party supplier and therefore affecting hundreds or even thousands of websites downstream.”
In early October 2019, Malwarebytes suggested that the group known as Magecart 4 is really the Cobalt Group. This followed an earlier attribution of Magecart 6 to the FIN6 group by IBM. Now Malwarebytes has found sufficient evidence to suggest that Magecart 5 is really the APT group known as the Carbanak Group.
Malwarebytes researchers looked at eight TLDs using the name Informaer and associated with Magecart 5 by RiskIQ. These had been registered with the Chinese registrar BIZCN/CNOBIN using the privacy protection services. However, Malwarebytes discovered a ninth Informaer domain that had been missed, and — more importantly — did not include privacy protection: informaer.info.
This domain was registered at the same time as the other Informaer domains, and therefore almost certainly for the same purpose: Magecart 5 operations. “All nine informaer domains,” Jerome Segura, Malwarebytes’ director of threat intelligence, told SecurityWeek, “were registered within a few seconds of each other. This indicates that the same person purchased all the domains at the same time.” If it had been a few months earlier or later, you could not draw the same conclusion. “I think it was just a mistake or an oversight by the registrant not to apply the privacy services,” continued Segura.
Now, since the privacy services had not been activated, the researchers had two other important clues: an email address (guotang323[at]yahoo.com) and a telephone number (+86.1066569215). From the email address, they discovered other domains registered by the same person, including several that connect to Dridex phishing campaigns (corporatefaxsolutions[.]com, onenewpost[.]com, and xeronet[.]org) from the same timeframe.
In 2017, a Swiss CERT report described a Dridex phishing campaign used to deliver Carbanak malware. Furthermore, say the researchers, “A diagram from Swiss CERT also shows how the Dridex loader does some victim triaging to either deliver Dridex proper (for consumers or low interest targets) or Carbanak for companies and high value targets.” Again, this is from the same timeframe.
So far, the researchers had connected Magecart 5 to separate Dridex phishing campaigns, with a tenuous link to Carbanak, all via the informaer.info registrant’s email. This is interesting, but still somewhat circumstantial. However, looking at the informaer.info registrant’s phone number, they found another link. In 2016 (again, note the timeframe), Brian Krebs posted a report linking Carbanak to the Russian security firm Infocube.
In this report Krebs mentions three domains that had previously been tied to Carbanak by multiple researchers: ‘weekend-service[dot]comCHV’, ‘coral-trevel[dot]com’ and ‘freemsk-dns[dot]com’. “Historic registration or ‘WHOIS’ records maintained by Domaintools.com,” he wrote, “for all three domains contain the same phone and fax numbers for what appears to be a Xicheng Co. in China — 1066569215 and 1066549216, each preceded by either a +86 (China’s country code) or +01 (USA).”
This same phone number provides a direct link between Magecart 5 and Carbanak. It appears as if the same person who registered the known Magecart 5 domains had earlier registered known Carbanak hub domains. “All of the information from the informaer.info registration could be faked to confuse researchers,” admitted Segura. “But all of this happened in 2016, at a time when Magecart attribution was not being researched. It seems very unlikely that the group behind Magecart 5 would go to this trouble to fool the hunters when they were not being hunted.”
It is not absolute proof — attribution is rarely based on absolute proof — but Malwarebytes believes it has found enough evidence to suggest that Magecart 5 and the Carbanak Group are one and the same.
Related: Magecart Hackers Target L7 Routers