The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT – Malwarebytes Labs
Bread crumbs left behind open up a possible connection between Magecart Group 5 and Carbanak.
According to Malwarebytes researchers, an active Magecart scheme has ties to Dridex phishing campaigns and the Carbanak group, revealing that skimmer scripts may be a prelude to more traditional malware use. Magecart Group 5 appears to have connections to the Carbanak Advanced Persistence Threat (APT) gang https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/
Deepak Patel, security evangelist at PerimeterX, provided the following comments:
“Magecart attacks use variations of formjacking, a well-known attack technique from a few years ago. More recently hackers have modified formjacking to exploit client-side vulnerabilities. In these attacks, the attacker places malicious scripts on a compromised web server and skims user data. Another evolution of an older attack technique into a new threat is trickbots. Trickbots wreaked havoc on banking sites in the mid-2010s, and now we see a resurgence of these bots on telco sites – leveraging Magecart to harvest and monetize personally identifiable information (PII) data. Enterprises have bolstered server-side application security, but these newer attacks are exposing client-side weak points.
“Today, it is evident from new research that Magecart attacks are probably executed by the same group of individuals who are innovating and taking the path of least resistance. While this new research does help with attribution, so far none of the Magecart groups have been identified or brought to justice, so the attacks will continue unabated. The best approach for website owners is to start monitoring every client-side script as it executes on the users’ browsers and get real-time visibility into the entire website supply chain of scripts and libraries.”