AN OVERVIEW OF THE ACTORS BEHIND THE LARGEST MAGECART ATTACK (SO FAR!)

  • Previous eCommerce attacks by the actors appear to target two languages exclusively for the checkout pages: English and Portuguese.
  • Some of their infrastructure has previously been tied to the Brazilian-focused Lampion banking trojan, further reinforcing an interest in the LATAM market.
  • Infrastructure re-use (IPs and Domains) across campaigns.
  • The actors frequently employ homoglyph-style attacks, mimicking various protocols or legitimate web services for their domains.
  • Presently, there are no direct operational linkages which connect the actors conducting the attacks with the seller ‘z3r0day’ and the alleged ‘Cardbleed’ exploit.
  • The actors responsible for the attacks appear to have been carrying out similar attacks prior to 15 August 2020, when the ‘Cardbleed’ exploit was offered for sale.
  • The attacker has previously been shown to reuse specific TTPs and infrastructure, however it is reasonable that an attacker gaining a significant advantage would want to avoid detection as long as possible.
  • The attacker may have felt compelled to act quickly and operate using infrastructure that they deemed reliable.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.