A joint analysis by Malwarebytes and HYAS shows links between Cobalt and Magecart 4 (MG4) cybercrime groups
Cobalt group (aka Carbanak) and Magecart-based web skimming attacks could be linked. It has been discovered by Malwarebytes and HYAS cyber security experts. A joint report found significant similarities between the registration information for domain names used in their infrastructure by Cobalt and another actor dubbed Magecart Group 4 (MG4). In particular, both cybercrime groups used same email account naming pattern, email services, domain registrars and privacy protection services. “Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor than the actors who registered both the Cobalt Group and Magecart infrastructure,” the researchers said in a report. “In addition, further investigation revealed that regardless of the email provider used, ten of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.”
The Mg4 TTPs according to the cyber security experts
The Cobalt TTPs show similarities wit Magecart ones
Cobalt Group emerged in 2016 with “jackpotting” attacks against financial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have purportedly amassed over a billion dollars from global institutions, evolving their TTPs as they go. While changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used by cybercrime group allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group campaigns to the Magecart domains. Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor besides those who registered both the Cobalt Group and Magecart infrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.