Cybercriminals engaging in one form of criminal activity can sometimes get their hands on a wide variety of other nefarious campaigns as well, as researchers recently discovered when analyzing the infrastructure associated with a new iteration of a Magecart skimmer.
Magecart is a notorious — and ever-evolving — syndicate of multiple groups that specializes in placing card skimmers on e-commerce sites to steal payment card information. Over the years, syndicated groups have carried out numerous, sometimes massive, thefts of card information from websites, including those belonging to major companies such as TicketMaster and British Airways.
Malwarebytes researchers recently observed a threat actor deploying a payment card skimmer, based on a framework called mr.SNIFFA, across multiple e-commerce sites. mr.SNIFFA is a service that generates Magecart scripts that threat actors can dynamically deploy to steal credit and debit card information from users who pay for purchases on e-commerce websites. The malware is known to use various obfuscation methods and tactics like steganography to upload its payment card theft code on unsuspecting target websites.
Sprawling crime haven
Their investigation into the infrastructure used in the campaign led to the discovery of a large web of other malicious activities, including cryptocurrency scams, malicious service sales forums, and stolen credit card numbers, which appeared to be linked to the same actor.
“Where one criminal service ends, another begins, but they’re often connected,” said Jerome Segura, director of threat intelligence at Malwarebytes, in a blog post summarizing the company’s research. “Looking beyond the code snippets and seeing the bigger picture helps to better understand the larger ecosystem and see potential trends.”
In the Magecart campaign observed by Malwarebytes, the threat actor used three different domains to deploy different components of the attack chain. Each of the domains had names inspired by cryptocurrencies. For example, the domain that injected the initial redirect component of the infection chain had the name “saylor2xbtc[.]com”, apparently in a nod to well-known Bitcoin proponent Michael Saylor. Other celebrities were also mentioned: a domain called “elon2xmusk[.]com” housed the loader for the skimmer, while “2xdepp[.]com” contained the actual coded skimmer itself.
Malwarebytes found the three domains hosted on infrastructure belonging to DDoS-Guard, a Russia-based bulletproof hosting company with a reputation for hosting shady websites and operations. The security vendor’s investigation showed that each of the three domains was associated with a wide range of other malicious activity.
The IP address, which hosted, for example, the skimmer charger, also hosted a fraudulent version of the home decor and furniture company Houzz’s website. Likewise, the IP address for 2xdepp[.]com, the site that hosted the skimmer, hosted a website that sold tools like RDP, Cpanel, and Shells, and another website that offered a service to mix cryptocurrencies, something cybercriminals often use to make it harder to track the money they earned. illicitly.
Malwarebytes researchers further uncovered blackbiz[.]top, a forum used by cybercriminals to advertise various malware services, hosted on the same subnet.
Cryptocurrency scams
Malwarebytes decided to see if there were any other websites hosted on DDoS Guard that might have the same “2x” in their domain names as the three sites associated with the Magecart campaign. The exercise revealed several fraudulent websites engaged in illicit cryptocurrency-related activities.
“These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy or Michael J. Saylor and are deceiving people with false hopes of earning thousands of BTC,” Segura said. “These cryptocurrency scams increased fivefold in the first half of 2022, according to a September 2022 report from Group-IB,” she added.
Malwarebytes also discovered several other DDoS Guard sites that appeared to be related to the Magecart operator. Among them were phishing sites spoofing TeamViewer, AnyDesk, MSI, a web portal named after journalist Brian Krebs for selling stolen credit card data, and a site selling a range of phishing kits.
Malwarebytes’ research highlights the still sprawling nature of some cybercriminal groups, even as others have begun to specialize in specific cybercrime activities in order to collaborate with others on joint malicious campaigns.
In recent years, threat actors such as Evil Corp, North Korea’s Lazarus Group, DarkSide, and others have gained a reputation for being large and varied in their operations. More recently, however, others have begun to focus more on their own specific skills.
Research that security vendor Trend Micro conducted last year showed that more and more cybercriminals with diverse skill sets are coming together to offer cybercrime as a service. The company discovered that these criminal services consisted of groups offering access-as-a-service, ransomware-as-a-service, bulletproof hosting, or crowdsourcing teams focused on researching new attack methods and tactics.
“From an incident response mindset, this means [defenders] they will need to identify these different groups that complement specific aspects of the overall attack, making it more difficult to detect and stop attacks,” Trend Micro concluded.