Magecart is a term that unites more than a dozen of cybercriminal groups specializing in the implementation of scripts to steal bankcard data in payment forms on websites. They are responsible for attacks on such companies as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.
“Group 4 is one of the most “advanced” groupings. Its participants use sophisticated methods to mask traffic, for example, by registering domain names associated with analytic companies or advertisers. The group has experience with banking malware, as well as the Cobalt group”, – experts of Malwarebytes tell.
Researchers tracked the various Magecart groups, looked for elements of their infrastructure, as well as connections between domains and IP addresses. Based on indicators of compromise, registered domains, used tactics, methods and procedures, the researchers concluded that Cobalt might have switched to web-skimming.
Read also: Echobot botnet launched large-scale attacks on iOT devices
The domains from which the skimers were downloaded registered to the mail address in the ProtonMail service, which RiskIQ researchers previously linked to Magecart. After analyzing the data, the experts associated this address with other registration letters and found a general nature, in particular, when creating mailboxes, the template [name], [initials], [last name] was used, which Cobalt recently used for ProtonMail accounts.
When analyzing the Group 4 infrastructure, researchers discovered a PHP script that was mistaken for JavaScript code. This type of source code can only be seen with the access to the server, the script interacts exclusively with the server side.
“It is invisible to any scanner, because everything happens on the hacked server itself. Magecart skimers were usually found on the browser side, but on the server side they are much more difficult to detect”, – said researcher Jerom Segura.
Further research showed that regardless of the email service used, in 10 separate accounts, only two different IP addresses were reused, even after several weeks and months between registrations.
One such mailbox is petersmelanie @protonmail, which was used to register 23 domains, including my1xbet[.]top. This domain was used in a phishing campaign to exploit the vulnerability CVE-2017-0199 in Microsoft Office. The same mail account was used to register the oracle-business[.]com domain and the Oracle attacks that were associated with the Cobalt group.
About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…
About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…
About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…
About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…
About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…
About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…