Home Malware Cobalt cybercrime group might be launching Magecart skimming attacks

Cobalt cybercrime group might be launching Magecart skimming attacks


Researchers have found links between Magecart-based Web skimming attacks and a sophisticated cybercrime group dubbed Cobalt that has stolen hundreds of millions from financial institutions worldwide. They also found evidence of server-side skimming, which is harder to detect than the typical JavaScript injections.

A joint analysis by Malwarebytes and security firm HYAS found significant similarities between the registration information for domain names used in their infrastructure by both Cobalt and a group tracked until now as Magecart Group 4 (MG4). In particular, both Cobalt and MG4 used the same email account naming pattern, the same email services, the same domain registrars and the same privacy protection services.

“Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor than the actors who registered both the Cobalt Group and Magecart infrastructure,” the researchers said in a report released today. “In addition, further investigation revealed that regardless of the email provider used, ten of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.”

HYAS, which provides attribution intelligence services, searched its datasets and found a particular email address that registered Magecart domains but was also used in a spear-phishing email campaign with malicious Word documents that fits Cobalt’s modus operandi. The same address was also used to register domain names that are very similar to those used by Cobalt in the past.

Who is Cobalt?

The Cobalt group, also identified as Carbanak in some reports, is a cybercrime gang that specializes in stealing large amounts of money from banks and other financial organizations. The group typically breaks into the networks of their targets via spear-phishing emails with malicious attachments that exploit vulnerabilities in MIcrosoft Word.

After gaining a foothold, the group can spend months inside the compromised networks, performing lateral movement and studying their victims’ internal procedures and workflows, as well as their custom internal applications. This is all in preparation for a final heist that allows them to steal millions of dollars in one go, sometimes by hacking into the victim’s ATM network and sending money mules to collect the cash.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More