Magecart/Carbanak: Researchers from Malwarebytes have looked into the modus operandi of Magecart Group 5, noticing that their tactics are a little different from other Magecart attackers. Group 5 typically targets e-commerce merchants to load various libraries, analytics, or security seals. The attack is conducted by compromising third-party suppliers and affects hundreds of thousands of websites downstream. The script that was used for skimming by Group 5 was largely obfuscated and set to exfiltrate data such as names, addresses, credit card numbers, expiration dates, and CVV codes. Attacks like this in which thousands of stores are compromised have a higher rate of return for successful attacks, which is why it was sought after by Group 5. The group has used what researchers claimed was a bulletproof domain register in China called BIZCN/CNOBIN. This register has been used by Group 5 for many of their fake domains and used by other criminal organizations as well. Typically Group 5 has used good security when registering domains, being able to keep themselves anonymous and untraceable. In the most recent campaign, the group registered eight Top-Level Domains (TLDs) using a privacy protection service. Unfortunately for the group though, they did not put security in place on one of the eight domains that they registered. The domain, Informaer.info, was registered and still had the contact information visible on the registrant. Within that information was an email address that researchers were able to view and analyze. While analyzing this email address, they were able to build a network of other domains registered with it. While looking at the alternate email addresses, it appeared that some of the domains were previously used to register domains to deliver the Dridex banking trojan. Dridex is a banking trojan that has been around for many years, but even to this day it continues to be delivered through spam campaigns. The Carbanak group has also been around for years, primarily targeting banks and using a backdoor with the same name for espionage and data exfiltration attacks. A report from Swiss CERT in 2017 outlined how Dridex was being utilized to deliver Carbanak’s malware–essentially linking Carbanak with using Dridex. The phone number that is in the domain registry, mentioned by Brian Krebs in his blog post from 2016, links the Carbanak group to a Russian security firm.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is