Cobalt/Magecart: Joint research from Malwarebytes Labs and HYAS discovered multiple different similarities between the Cobalt group and Magecart Group 4(MG4). Cobalt is known for victimizing banks via spear-phishing campaigns, creating a foothold into their networks, and sending money mules to collect cash at ATMs that they compromise around the globe. Based on similarities in the account naming pattern, duplicate email services, using the same domain registrars and the same privacy protections being used by MG4 and Cobalt, researchers were able to link the two groups and believe they may be the same. Researchers found that due to the privacy services that are in place, it is unlikely that the naming convention that is being used would be known by any other threat actors, leading researchers to believe that they had to be registered by the same threat actor. Upon searching datasets, Hyas was able to find that an email address that was used to register Magecart domains was also used to carry out a spear-phishing campaign through Word documents, which is primarily what Cobalt is known for. The email address was also used to register domain names similar to ones that Cobalt has used in the past. What separates Cobalt/MG4 from other Magecart skimmers is that standard Magecart attacks are seen being client-side, using malicious JavaScript loaded in a browser, but in the case of Cobalt/MG4, it was recognized that they are carrying out server-side skimming. This technique uses a PHP script that intercepts and exfiltrates data directly at the web application level when the data is being processed. This type of skimming is much harder to detect because it is not visible on the browser or website scanners, leaving their victims unaware that it is occurring. MG4 made the mistake of serving the PHP script like a JavaScript file, allowing the contents to be indexed and subsequently analyzed by researchers.