Here’s How Magecart Group 8 Stays Under the Radar

What’s the new development?

• Researchers at RiskIQ and Malwarebytes found that Magecart Group 8 has added a new infrastructure apart from its previous hosting domains Flowspec, JSC TheFirst, and OVH.
• Flowspec is a bulletproofing hosting service that was heavily used in multiple attacks by the group to host skimmers, phishing malware, ransomware, and other malware.
• Besides, similar malicious patterns were also observed in the other two hosting services, JSC The First and OVH.
• However, according to RiskIQ, the threat actor group has shifted its trove of stolen data to a new set of hosting services such as Velia[.]net, WorldStream, and Amazon.
• The malicious skimmer domains and a history of hundreds of compromised retail domains that date back to 2018 have been shifted to the Velia[.]net, which is likely to be used by the attackers in the future.

Other noteworthy facts

• Researchers at Malwarebytes uncovered another large part of infrastructure hosted on ICME and Crex Fex Pex that helped Magecart Group 8 to stay low for a long time.
• These infrastructures also included a number of other artifacts related to web skimming activity such as web shells, panels, and other tools.

These patterns tell a story

• Recently discovered patterns in malicious infrastructure indicate that the group is on a mission to expand its footprint.
• Furthermore, the sheer amount of infrastructure used by Mageacart Group 8 also reveals its sustained success in skimming online retail customers.

Conclusion