Old Magecart domains are finding new life in subsequent cyber threat campaigns, many of which are entirely unrelated to web skimming.
Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by cyber attackers, which means they also retain their value to cyber threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.
Subtle WHOIS ownership changes
We can see the original registration by the criminals, which occurred on March 16th of 2017, here:
These domains stayed active under the criminal’s control until they were sinkholed in September of 2018. The sinkholing appears in the WHOIS updates represented by a change in the nameserver:
According to the original registration clause, the domain stays sinkholed until the registrar lets it expire. The domain is then picked up by our shady advertiser a month later:
The change is very subtle, as the new domain holder registers the domain at the exact same registrar. However, changed WHOIS isn’t the only sign of a bad actor assuming control of a Magecart domain.
Purposeful traffic acceptance
Domain takeovers involving Magecart are different—cyber threat actors know these domains are infected with Magecart and seek them out on purpose.
Here is an example of the malicious call-out when the skimmer was alive on the domain:
The skimmer is fairly simple. When wielded by Magecart actors, it would attempt to grab any input fields on a page with a path that included a set of preconfigured keywords, “check out” or “payment,” for example.
Here’s the code under new ownership:
The clear change in the domain’s ownership after expiration and serving content on the exact same script paths tells us this was done deliberately by the new owners. We can also see this is not the first time these criminals have done this; at the end of the script, the cyber attackers inject another remote script. It’s a simple counter, which logs traffic so the new owners driving traffic through these hijacked domains know how large their “audience” is.
We can also see the call-out following in the call sequences from this script from a RiskIQ crawl:
The additional script, which includes cleverjump.org gives researchers at RiskIQ a clue about which other domains are in service by these cyber attackers. We can ask our datasets which other websites include this host and its script(s).
Checking host pair associations between cleverjump.org script inclusions from domains for just 2019 returns several hundred domains. Filtering through, we can find several old Magecart-related domains. Here’s a small sample:
Magecart is a global phenomenon that's redefined cybersecurity over the past four years. Not only has it victimized hundreds of thousands of sites and potentially millions of users, but it's also created a secondary market around its infrastructure.
These secondary markets are likely experienced in affiliate marketing and fraud, and are buying up domains dropped by registrars they know have a lot of traffic coming to them. While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit. Moreover, in the future, cyber threat actors may also engage in other schemes and cyber threat activity far more malicious than advertising.
Site owners must maintain visibility into the code on their site—make sure it’s clean, updated, and checked on regularly. RiskIQ works with incredible partners to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data. However, this does not keep a website clean forever—dutiful vigilance and maintenance is the only way to prevent being victimized by Magecart and follow-up cyber attacks by secondary markets.