A joint analysis by Malwarebytes and security firm HYAS found significant similarities between the registration information for domain names used in their infrastructure by both Cobalt and a group tracked until now as Magecart Group 4 (MG4). In particular, both Cobalt and MG4 used the same email account naming pattern, the same email services, the same domain registrars and the same privacy protection services.
“Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor than the actors who registered both the Cobalt Group and Magecart infrastructure,” the researchers said in a report released today. “In addition, further investigation revealed that regardless of the email provider used, ten of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.”
HYAS, which provides attribution intelligence services, searched its datasets and found a particular email address that registered Magecart domains but was also used in a spear-phishing email campaign with malicious Word documents that fits Cobalt’s modus operandi. The same address was also used to register domain names that are very similar to those used by Cobalt in the past.
Who is Cobalt?
The Cobalt group, also identified as Carbanak in some reports, is a cybercrime gang that specializes in stealing large amounts of money from banks and other financial organizations. The group typically breaks into the networks of their targets via spear-phishing emails with malicious attachments that exploit vulnerabilities in MIcrosoft Word.
After gaining a foothold, the group can spend months inside the compromised networks, performing lateral movement and studying their victims’ internal procedures and workflows, as well as their custom internal applications. This is all in preparation for a final heist that allows them to steal millions of dollars in one go, sometimes by hacking into the victim’s ATM network and sending money mules to collect the cash.
FIN7 cybercrime group also using card skimming
Recently, researchers from IBM found evidence that another cybercrime group called FIN7, which is related to Cobalt, has branched out into Web-based card skimming. FIN7 is known for compromising the physical point-of-sale systems of organizations from the retail, hospitality and restaurant sectors in order to steal payment card data. The recently observed Web skimming activity associated with FIN7 actually matches that of another group called Magecart Group 6.
“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it would be logical that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” the Malwarebytes and HYAS researchers said in their report.
Server-side skimming is much harder to detect, especially from the outside, because it’s not visible to browsers or website scanners. In order to detect such compromises, website owners must use a solution capable of scanning the files on the server itself or to monitor their integrity to identify rogue changes.
The script is made to work with Magento, an ecommerce platform, and is automatically loaded by the application. It then monitors the application requests for certain keywords such as billing, cvv, year, cc_number, dummy, cc_, payment, card_number, username, expiry, firstname, login, shipping, month, securetrading, cvc2. If such keywords are detected, the request along with the cookie information is sent to an external server controlled by the attackers.
“The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat,” the researchers said.