Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming.
Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by attackers, which means they also retain their value to threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.
We can see the original registration by the criminals, which occurred on March 16th of 2017, here:
These domains stayed active under the criminal’s control until they were sinkholed in September of 2018. The sinkholing appears in the WHOIS updates represented by a change in the nameserver:
According to the original registration clause, the domain stays sinkholed until the registrar lets it expire. The domain is then picked up by our shady advertiser a month later:
The change is very subtle, as the new domain holder registers the domain at the exact same registrar. However, changed WHOIS isn’t the only sign of a bad actor assuming control of a Magecart domain.
*Some of you readers might recognize this domain, which is part of a large cluster of activity we’ve covered before. For some additional pivot points check out magento-order.com and magelib.com.
Domain takeovers involving Magecart are different—threat actors know these domains are infected with Magecart and seek them out on purpose.
Here is an example of the malicious call-out when the skimmer was alive on the domain:
The skimmer is fairly simple. When wielded by Magecart actors, it would attempt to grab any input fields on a page with a path that included a set of preconfigured keywords, “check out” or “payment,” for example.
Here’s the code under new ownership:
The clear change in the domain’s ownership after expiration and serving content on the exact same script paths tells us this was done deliberately by the new owners. We can also see this is not the first time these criminals have done this; at the end of the script, the attackers inject another remote script. It’s a simple counter, which logs traffic so the new owners driving traffic through these hijacked domains know how large their “audience” is.
We can also see the call-out following in the call sequences from this script from a RiskIQ crawl:
The additional script, which includes cleverjump.org gives researchers at RiskIQ a clue about which other domains are in service by these attackers. We can ask our datasets which other websites include this host and its script(s).
Checking host pair associations between cleverjump.org script inclusions from domains for just 2019 returns several hundred domains. Filtering through, we can find several old Magecart-related domains. Here’s a small sample:
Magecart is a global phenomenon that’s redefined cybersecurity over the past four years. Not only has it victimized hundreds of thousands of sites and potentially millions of users, but it’s also created a secondary market around its infrastructure.
These secondary markets are likely experienced in affiliate marketing and fraud, and are buying up domains dropped by registrars they know have a lot of traffic coming to them. While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit. Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising.
Site owners must maintain visibility into the code on their site—make sure it’s clean, updated, and checked on regularly. RiskIQ works with incredible partners to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data. However, this does not keep a website clean forever—dutiful vigilance and maintenance is the only way to prevent being victimized by Magecart and follow-up attacks by secondary markets.
We're #ThreatHunting in D.C.! The #infosec community is out in force to learn how to supercharge their investigations with RiskIQ's advanced data sets inside the @PassiveTotal platform.
Via @Forbes, RiskIQ research finds over 18,000 websites infested with #Magecart card-skimming #malware https://t.co/dKSfziG3dr #ecommerce
Just Launched! Adam Hunt of @riskIQ and Fredrik Nilsson of @axisipvideo discuss #cybersecurity, #IoT, and the threat of regulatory fines from #dataprivacy breaches on the latest Inside @ForbesCouncils #podcast! https://t.co/G0UoPfQCHf
We're here at #sector2019! Swing by booth #406 to find out everything new with security outside the firewall, and find out how to start defending your internet attack surface today.