Researchers from Malwarebytes have analyzed the domains and activities of Magecart Group 5 and have determined connections to the Carbanak group and Dridex phishing campaigns.
Magecart Group 5’s modus operandi
Magecart Group 5 targets the supply chain used by e-commerce sites to load various libraries, analytics, or security seals.
Links to Carbanak group and Dridex campaigns
By analyzing the domains and email addresses used by the Magecart Group 5, researchers were able to identify several domains that are connected to the Dridex campaigns.
Especially, the guotang323@yahoo[.]com email address was found to be used to register domains for various Dridex phishing campaigns, including
Furthermore, Dridex loader was found delivering Carbanak malware for companies and high-value targets.
“Victimology also helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit.
In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground,” researchers concluded.