Magecart group 5 is linked to Carbanak and Dridex banking Trojan

The 'modus operandi' of Magecart 5 is very different from other, similar threat groups, according to Malwarebytes

Magecart Group 5, the cyber crime gang behind several supply-chain attacks, is linked to the Dridex banking Trojan and the Carbanak Advanced Persistence Threat (APT) gang.

That's according to the researchers at cyber security firm Malwarebytes, who arrived at this conclusion after analysing multiple Magecart domains registered through Chinese registrar BIZCN/CNOBIN.

Magecart attacks typically target organisations' payments systems by taking advantage of security vulnerabilities in ecommerce systems. The gangs then inject subtle JavaScript code onto the pages of ecommerce sites to exfiltrate credit card and personal details of customers as they check out.

According to Malwarebytes researchers, the 'modus operandi' of Magecart 5 is very different from other threat groups as it attempts to specifically target the weaknesses in the supply-chain used by e-commerce vendors. For example, the group targeted a chat feature hosted by a third party during the attack on Ticketmaster. The gang has also been linked with a similar attack on British Airways.

Compromising third-party suppliers and tampering with their libraries allows Magecart 5 to potentially attack hundreds or thousands of domains down the line at the same time.

"This kind of supply-chain attack, where thousands of stores are loading altered code, have a much higher return than individually targeting stores," the researchers said in their report.

To gather more details about Magecart 5, the researchers analysed data from WHOIS records predating the EU's General Data Protection Regulation and uncovered d registrant data from BIZCN/CNOBIN, essentially a "bulletproof registrar".

The researchers discovered a set of malicious domains, including informaer[.]info, which were registered by Magecart 5 using the email address [email protected].

Notably, this email account was also used earlier to register domains that were eventually utilised to launch a series of Magecart skimming and Dridex attacks, including an eFax campaign targeting German firms and two phishing attempts to spoof the Xero and OnePosting accounting services.

Dridex is a banking Trojan that was first observed in 2014. Since then, attackers have actively used Dridex to steal online banking credentials from potential targets.

The researchers also concluded that Magecart 5 has definite links to the Carbanak gang, also known as Cobalt, which uses Carbanak backdoor to target ATMs and internal banking infrastructure. The leader of the gang was arrested in March 2018, but the activities of the group are still continuing.

Last month, security researchers warned that threat actors have been bringing old Magecart web domains back to life in renewed malvertising and ad fraud campaigns.

Cyber security firm Malwarebytes had earlier warned e-commerce companies about a summer surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems. The firm claimed that it had blocked nearly 65,000 web-skimming Magecart data theft attempts in July alone.