Magecart Group 8, aka CoffeMokko, Keeper, FBseo is one of the oldest threat actors in the digital skimming space. Active since 2016, this skimming group first came to light after attacks on MyPillow and Amerisleep in 2019.
With the latest attack on NutriBullet, the skimming group was believed to have gone on sabbatical, only to return with new surprises. Researchers have identified new threat infrastructure and attacks across the globe.
What’s the new development?
- Researchers at RiskIQ and Malwarebytes found that Magecart Group 8 has added a new infrastructure apart from its previous hosting domains Flowspec, JSC TheFirst, and OVH.
- Flowspec is a bulletproofing hosting service that was heavily used in multiple attacks by the group to host skimmers, phishing malware, ransomware, and other malware.
- Besides, similar malicious patterns were also observed in the other two hosting services, JSC The First and OVH.
- However, according to RiskIQ, the threat actor group has shifted its trove of stolen data to a new set of hosting services such as Velia[.]net, WorldStream, and Amazon.
- The malicious skimmer domains and a history of hundreds of compromised retail domains that date back to 2018 have been shifted to the Velia[.]net, which is likely to be used by the attackers in the future.
Other noteworthy facts
- Researchers at Malwarebytes uncovered another large part of infrastructure hosted on ICME and Crex Fex Pex that helped Magecart Group 8 to stay low for a long time.
- These infrastructures also included a number of other artifacts related to web skimming activity such as web shells, panels, and other tools.
These patterns tell a story
- Recently discovered patterns in malicious infrastructure indicate that the group is on a mission to expand its footprint.
- Furthermore, the sheer amount of infrastructure used by Mageacart Group 8 also reveals its sustained success in skimming online retail customers.
Conclusion
During the past couple of years, the craze for online shopping has increased at a rapid pace. Cybercriminals such as Magecart have turned their attention to this trend, which peaked more than ever during the COVID-19 pandemic, to make more profits. Having said that, online retail owners and customers must exercise best security practices to thwart such attacks.
Source: https://cyware.com/news/heres-how-magecart-group-8-stays-under-the-radar-dd9ea46d