One group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations. While working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group, aka Cobalt Gang or Cobalt Spider.
Much more recently, information about the actual threat actors behind groups has come forward. For example, IBM publicly identified Group 6 as being FIN6. This is interesting on many levels because it reinforces the idea that existing threat groups have been leveraging their past experiences to apply them to theft in the e-commerce field.
Classifying Magecart threat actors is not an easy task due to the diversity of skimmers and their reuse. The effort of attributing Magecart to “groups” started with RiskIQ and Flashpoint’s comprehensive Inside Magecart report released in fall 2018, followed by Group-IB several months later.