Magecart Group 4: A link with Cobalt Group? – Malwarebytes Labs | Malwarebytes Labs

In this blog, we will detail our findings and show that Group 4 was not only conducting client-side skimming via JavaScript but was—and most likely still is—doing the same server-side. This is important to note as most reports about Magecart only cover the former, which is by far easier to identify.


One group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations. While working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group, aka Cobalt Gang or Cobalt Spider.


Much more recently, information about the actual threat actors behind groups has come forward. For example, IBM publicly identified Group 6 as being FIN6. This is interesting on many levels because it reinforces the idea that existing threat groups have been leveraging their past experiences to apply them to theft in the e-commerce field.


Classifying Magecart threat actors is not an easy task due to the diversity of skimmers and their reuse. The effort of attributing Magecart to “groups” started with RiskIQ and Flashpoint’s comprehensive Inside Magecart report released in fall 2018, followed by Group-IB several months later.


Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript code designed to steal any information entered by victims on the checkout page.