“This grouping hacks only third-party service providers, but does not directly attack online stores. This particular group has already shown creativity and used the CDN (content delivery network) and advertising to inject its malicious code into sites”, – say RiskIQ experts.
And in September of this year, IBM experts discovered that MageCart 5 developed special scripts for placement on Layer 7 routers and the subsequent theft of bank cards. This allows concluding that attackers went from sites to attacks on routers.
Now, Malwarebytes experts have reported that they managed to connect the MageCart 5 group with the well-known criminal group Carbanak and the banking Trojan Dridex. To do this, the researchers studied eight top-level domains that use the Informaer name and are associated with MageCart 5 according to RiskIQ.
Read also: Researchers identified a link between the Magecart Group 4 and Cobalt
Using WHOIS records that preceded the advent of the General Data Protection Regulation (GDPR), the researchers went to a “bulletproof” registrar in China called BIZCN/CNOBIN.
Similarly to “bulletproof” hosting, such companies ignore all complaints about the illegal activity of customers, and user identities are kept secret. However, specialists managed to identify the ninth Informaer domain (informaer[.]Info), which turned out to be not so well protected and led the experts to the email address (guotang323@yahoo.com) and phone number (+86.1066569215).
“This domain was registered at the same time as the other Informaer domains (literally talking about seconds), and was almost certainly used in MageCart 5”, – report Malwarebytes experts.
The mentioned email address turned out to be associated with other domains registered by the same person. Among them were several domains related to Dridex phishing campaigns, to which the Swiss CERT spoke in detail in 2017: corporatefaxsolutions[.]Com, onenewpost[.]Com and xeronet[.]Org.
Interestingly, experts have already met the phone number. Last year, the famous IS journalist Brian Krebs already mentioned this issue in his article on the investigation of Carbanak and theories about the origin of the group.
At the same time, Malwarebytes experts admit that all registration information informaer[.]Info could be specially falsified in order to confuse researchers. However, all this happened in 2016, when the attribution of MageCart has not yet been investigated. Analysts believe it is unlikely that Magecart 5 participants were already trying to confuse the tracks, given that no one had hunted them yet.
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…