Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Group Tied to Cobalt Hackers

Security researchers were able to link one of the hacking groups operating under the Magecart umbrella to the infamous threat actor known as the Cobalt Group.

Security researchers were able to link one of the hacking groups operating under the Magecart umbrella to the infamous threat actor known as the Cobalt Group.

Magecart hackers made it into the spotlight last year, after the high-profile breaches at Ticketmaster, British Airways, and Newegg, but they have been active for at least a decade, RiskIQ says.

There are numerous groups operating under the Magecart umbrella, with their infrastructure flooding the Internet, RiskIQ, which has identified dozens of known groups and over 570 command and control (C&C) domains, explains in a new report.

Some of these groups, however, appear tied to more prominent threat actors, a joint report from security researchers at Malwarebytes and HYAS Threat Intelligence reveals.

While Magecart Group 6 was previously linked to the FIN6 hackers, Malwarebytes and HYAS now reveal they have found ties between Group 4 and the Cobalt Gang, including matching patterns in the email addresses used to register domains.

Furthermore, the researchers explain that Group 4 has been conducting both client-side and server-side skimming, which sets it apart from most Magecart groups, which only cover the former.

One of Group 4’s client-side skimmers was hidden in the jquery.mask.js plugin and was appended at the end of the script. The skimmer also had some layers of obfuscation.

A server-side skimmer associated with the group was a PHP script mistakenly served as JavaScript instead. The code was designed to find certain keywords associated with financial transactions and send the request and cookie data to the attacker’s server.

In both cases, the domains were registered to robertbalbarran(at) and were previously identified by RiskIQ.

Looking at their exfiltration gates, however, Malwarebytes and HYAS were able to connect them to other registrant emails and identify a pattern: email addresses have the format [first name][initial][last name].

This is the same technique that the Cobalt Group has switched to, not to mention that the same email services, registrars, and privacy protection services are used in both cases. Furthermore, regardless of the email provider, 10 of the accounts reused two IP addresses, even months apart.

One email address, petersmelanie(at), was used to register 23 domains, including a site used in a phishing campaign leveraging CVE-2017-0199 and another one targeting Oracle users.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” Malwarebytes notes.

RiskIQ reports a total of 2,086,529 observations of Magecart to date. This rapidly growing cybercrime syndicate comprised of dozens of subgroups is employing a variety of techniques to carry out attacks, including supply-chain attacks, and the targeting of misconfigured Amazon S3 buckets and Magento sites.

Businesses need an average of 22 days to discover and remediate a Magecart compromise, and some breaches last years due to the lack of visibility organizations have into their web-facing resources.

“In many cases, the victims have no idea the JavaScript on their site has been changed, allowing the malicious code to exist there indefinitely. […]Businesses need a continued focus on visibility into their internet-facing attack surfaces, as well as increased scrutiny of the third-party services used in their web applications,” RiskIQ notes.

Related: Magecart Hackers Target L7 Routers

Related: Magecart Hackers Target Mobile Users of Hotel Websites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.