Cybercriminals engaged in one form of criminal activity can sometimes have their hands in a wide range of other nefarious campaigns as well, as researchers recently discovered when analyzing the infrastructure associated with a fresh iteration of a Magecart skimmer.
Magecart is a notorious — and constantly evolving — syndicate of multiple groups that specializes in placing card skimmers on e-commerce sites to steal payment card information. Over the years, groups belonging to the syndicate have executed numerous — sometimes massive — heists of card information from websites, including those belonging to major companies like TicketMaster and British Airways.
Researchers from Malwarebytes recently observed a threat actor deploying a payment card skimmer — based on a framework called mr.SNIFFA — on multiple e-commerce sites. mr.SNIFFA is a service that generates Magecart scripts that threat actors can dynamically deploy to steal credit and debit card information from users paying for purchases on e-commerce websites. The malware is known for employing various obfuscation methods and tactics like steganography to load its payment card stealing code onto unsuspecting target websites.
Sprawling Crime Haven
Their investigation of the infrastructure used in the campaign led to the discovery of a sprawling network of other malicious activities — including cryptocurrency scams, forums for selling malicious services, and stolen credit card numbers — that appeared linked to the same actor.
“Where one criminal service ends, another one begins — but often times they are linked,” said Jerome Segura, director of threat intelligence at Malwarebytes, in a blog post summarizing the company’s research. “Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends.”
In the Magecart campaign that Malwarebytes observed, the threat actor used three different domains for deploying different components of the attack chain. Each of the domains had crypto-inspired names. The domain that injected the initial redirect component of the infection chain for instance had the name “saylor2xbtc[.]com,” apparently in a nod to noted Bitcoin proponent Michael Saylor. Other celebrities were referenced too: A domain named “elon2xmusk[.]com” hosted the loader for the skimmer, while “2xdepp[.]com” contained the actual encoded skimmer itself.
Malwarebytes found the three domains hosted on infrastructure belonging to DDoS-Guard, a Russia-based bulletproof hosting company with a reputation for hosting shady websites and operations. The security vendor’s investigation showed each of the three domains were associated with a wide range of other malicious activities.
The IP address, which hosted the skimmer loader for instance, also hosted a fraudulent version of home décor and decoration company Houzz’s website. Similarly, the IP address for 2xdepp[.]com — the site hosting the skimmer — hosted a website selling tools like RDP, Cpanel, and Shells, and another website that offered a service for mixing cryptocurrencies —something that cybercriminals often use to making illicitly earned money harder to trace.
Researchers at Malwarebytes further discovered blackbiz[.]top, a forum that cybercriminals use to advertise various malware services, hosted on the same subnet.
Malwarebytes decided to see if there were any other websites hosted on DDoS Guard that might have the same “2x” in their domain names as the three sites associated with the Magecart campaign had. The exercise revealed multiple fraudulent websites engaged in illicit cryptocurrency related activities.
“These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC,” Segura said. “These crypto-giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB,” he added.
Malwarebytes also discovered multiple other sites on DDoS Guard that appeared linked to the Magecart operator. Among them were phishing sites spoofing TeamViewer, AnyDesk, MSI, a Web portal named after journalist Brian Krebs for selling stolen credit card data, and one site selling a range of phishing kits.
Malwarebytes’ research highlights the still sprawling nature of some cybercrime groups, even as others have begun to specialize in specific cybercriminal activities with a view to collaborating with others on joint malicious campaigns.
Over the past few years, threat actors such as Evil Corp, North Korea’s Lazarus Group, DarkSide, and others have earned reputations for being both big and varied in their operations. More recently though, others have begun to focus more narrowly on their specific skills.
Research that security vendor Trend Micro conducted last year showed that increasingly, cybercriminals with different skills are conglomerating to offer cybercrime-as-a-service. The company discovered these criminal services to be comprised of groups offering either access-as-a-service, ransomware-as-a-service, bulletproof hosting, or crowdsourcing teams focused on finding new attack methods and tactics.
“From an incident-response mentality, this means [defenders] will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks,” Trend Micro concluded.