Magecart Group Tied to Cobalt Hackers

Security researchers were able to link one of the hacking groups operating under the Magecart umbrella to the infamous threat actor known as the Cobalt Group.

Magecart hackers made it into the spotlight last year, after the high-profile breaches at Ticketmaster, British Airways, and Newegg, but they have been active for at least a decade, RiskIQ says.

There are numerous groups operating under the Magecart umbrella, with their infrastructure flooding the Internet, RiskIQ, which has identified dozens of known groups and over 570 command and control (C&C) domains, explains in a new report.

Some of these groups, however, appear tied to more prominent threat actors, a joint report from security researchers at Malwarebytes and HYAS Threat Intelligence reveals.

While Magecart Group 6 was previously linked to the FIN6 hackers, Malwarebytes and HYAS now reveal they have found ties between Group 4 and the Cobalt Gang, including matching patterns in the email addresses used to register domains.

Furthermore, the researchers explain that Group 4 has been conducting both client-side and server-side skimming, which sets it apart from most Magecart groups, which only cover the former.

One of Group 4’s client-side skimmers was hidden in the jquery.mask.js plugin and was appended at the end of the script. The skimmer also had some layers of obfuscation.

A server-side skimmer associated with the group was a PHP script mistakenly served as JavaScript instead. The code was designed to find certain keywords associated with financial transactions and send the request and cookie data to the attacker’s server.

In both cases, the domains were registered to robertbalbarran(at)protonmail.com and were previously identified by RiskIQ.

Looking at their exfiltration gates, however, Malwarebytes and HYAS were able to connect them to other registrant emails and identify a pattern: email addresses have the format [first name][initial][last name].

This is the same technique that the Cobalt Group has switched to, not to mention that the same email services, registrars, and privacy protection services are used in both cases. Furthermore, regardless of the email provider, 10 of the accounts reused two IP addresses, even months apart.

One email address, petersmelanie(at)protonmail.com, was used to register 23 domains, including a site used in a phishing campaign leveraging CVE-2017-0199 and another one targeting Oracle users.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” Malwarebytes notes.

RiskIQ reports a total of 2,086,529 observations of Magecart to date. This rapidly growing cybercrime syndicate comprised of dozens of subgroups is employing a variety of techniques to carry out attacks, including supply-chain attacks, and the targeting of misconfigured Amazon S3 buckets and Magento sites.

Businesses need an average of 22 days to discover and remediate a Magecart compromise, and some breaches last years due to the lack of visibility organizations have into their web-facing resources.

“In many cases, the victims have no idea the JavaScript on their site has been changed, allowing the malicious code to exist there indefinitely. […]Businesses need a continued focus on visibility into their internet-facing attack surfaces, as well as increased scrutiny of the third-party services used in their web applications,” RiskIQ notes.

Related: Magecart Hackers Target L7 Routers

Related: Magecart Hackers Target Mobile Users of Hotel Websites