Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12.
The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, “New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks” and “Magento Attack: All Payment Platforms are Targets for Magecart Attacks.” However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we’ll break down here.
In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word “checkout” to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:
Magecart Group 12’s script tag from RiskIQ’s May report
The Magecart skimmer
The variable loading the skimmer
On February 3rd, Pimental and Kersten published their followup blog detailing their efforts to identify further opendoorcdn.com victims and have the skimming domain taken down by the Chinese company through which it was registered. On February 2nd, RiskIQ observed that opendoorcdn.com was replaced on at least two of the victim sites named in the blog by a live skimmer domain, toplevelstatic.com:
The new skimmer domain
New skimmer domain
RiskIQ has observed the toplevelstatic.com domain on three victim sites so far, all of which were previously compromised by opendoorcdn.com, as seen through our host pairs data set in RiskIQ Community:
Victims of original skimmer domain
Victims of new skimmer domain
The domain toplevelstatic.com was registered on February 1st, 2020, through Chinese registrar Guangzhou Shidaihulian (now.cn) and uses the same DNS provider as opendoorcdn.com, DNSPod (also based in China). Both domains are hosted on NGINX servers and use Let’s Encrypt certs. The IPs connected to toplevelstatic.com have changed at least once a day and sometimes more often, with each server, so far, based in Russia.
Resolutions for toplevelstatic.com
Hosting for opendoorcdn.com followed a more leisurely pace of flux. From January 2019 through January 2020, it sometimes used the same IP for weeks at a time and utilized servers based all over the world.
Resolutions for opendoorcdn.com
RiskIQ’s detection logic allowed us to identify additional domains hosting this particular magecart skimmer. Two popular emergency preparedness sites, beprepared.com and augasonfarms.com, were affected by one of these additional skimmer domains.
One of the new victims with an Alexa ranking of 105,288
Both sites are owned by Blue Chip Group Manufacturing and appear to be similarly constructed. We observed augasonfarms.com loading skimming code from storefrontcdn.com on January 27th. The beprepared.com site seems to have been loading the skimming code from January 16th through 29th. In these instances, the skimmer was added through a simple script tag.
Host pairs showing sites loading storefrontcdn.com
Magecart script on beprepared.com
It appears the injections have been removed from sites, and they are currently free of skimming code. Additional IOCs can be viewed in our Magecart Group 12 project here: https://community.riskiq.com/projects/b959cb28-d99c-b27b-bfd8-ae15d60a7e1b
Following the publication of this article, we noticed further detections showing that beprepared.com was also loading skimming code from wappallyzer.com, another Group 12 domain. Our data shows that this began on January 24th. We have communicated this to the affected company and are working with them to remediate.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02