Blog

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

Over the years, we’ve outed many Magecart web-skimming campaigns in reports that denoted IOCs, including malicious domains that attackers used to inject web-skimming JavaScript into browsers or as a destination for the skimmed payment information. Large portions of these malicious domains have been taken up for sinkholing by various parties. However, some of them are kicked offline by the registrar, put on hold, and then eventually released back into the pool of available domains. 

Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by attackers, which means they also retain their value to threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.

Hijacking JavaScript injections

Many website owners are never aware of an active skimmer threat on their site—RiskIQ found that the average Magecart skimmer stays on a site for over two months, and many stay there indefinitely. The entire lifecycle of these malicious domains—loading JavaScript to an infected website, going offline, and then coming back online again—can pass without the website owner having an inkling that something was wrong. 

Unfortunately, once these malicious domains come back online, websites will still load in scripts from them. Bad guys abuse this by loading up new JavaScript files on the malicious domains they buy up, effectively taking over where the skimmers left off. They do this for monetization through, for example, free advertisement space.

Subtle WHOIS ownership changes

Back in March 2017, a Magecart actor started setting up new skimming infrastructure and registered a domain used to deliver malicious JavaScript to visitors, cdnanalytics.net*, which you can explore in this RiskIQ Community Public Project here.

We can see the original registration by the criminals, which occurred on March 16th of 2017, here:

These domains stayed active under the criminal’s control until they were sinkholed in September of 2018. The sinkholing appears in the WHOIS updates represented by a change in the nameserver: 

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

According to the original registration clause, the domain stays sinkholed until the registrar lets it expire. The domain is then picked up by our shady advertiser a month later:

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

The change is very subtle, as the new domain holder registers the domain at the exact same registrar. However, changed WHOIS isn’t the only sign of a bad actor assuming control of a Magecart domain.

*Some of you readers might recognize this domain, which is part of a large cluster of activity we’ve covered before. For some additional pivot points check out magento-order.com and magelib.com.

Purposeful traffic acceptance

Domain takeovers involving Magecart are different—threat actors know these domains are infected with Magecart and seek them out on purpose.

Usually, a domain bought up for parking monetization will respond to loading up the entire website directly. In the case of Magecart domains, attackers look to return specific JavaScript for the exact call the original Magecart actors made to grab their skimmer. This call is not a call-out to the main website; it’s asking for one particular JavaScript resource that the new attackers put back online. 

In this example, when the original criminals were skimming for payment data, they loaded skimmer script from cdnanalytics.net/ga.js. The new owners of the domain are also serving that JavaScript file path, which they wouldn’t be doing unless they knew what its purpose was and how they could use it for their own monetization.

Here is an example of the malicious call-out when the skimmer was alive on the domain:

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

The skimmer is fairly simple. When wielded by Magecart actors, it would attempt to grab any input fields on a page with a path that included a set of preconfigured keywords, “check out” or “payment,” for example.

When the new owners took over the domain, they also created JavaScript for this requested script path. However, because the new owners are not after credit card information, they instead attempt to inject additional page content—an advertisement. 

Here’s the code under new ownership:

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

The clear change in the domain’s ownership after expiration and serving content on the exact same script paths tells us this was done deliberately by the new owners. We can also see this is not the first time these criminals have done this; at the end of the script, the attackers inject another remote script. It’s a simple counter, which logs traffic so the new owners driving traffic through these hijacked domains know how large their “audience” is. 

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

We can also see the call-out following in the call sequences from this script from a RiskIQ crawl:

Old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

The additional script, which includes cleverjump.org gives researchers at RiskIQ a clue about which other domains are in service by these attackers. We can ask our datasets which other websites include this host and its script(s). 

Checking host pair associations between cleverjump.org script inclusions from domains for just 2019 returns several hundred domains. Filtering through, we can find several old Magecart-related domains. Here’s a small sample:

  • cdnapis.com
  • contextjs.info
  • nexcesscdh.net
  • ossmaxcdn.com

Conclusions

Magecart is a global phenomenon that’s redefined cybersecurity over the past four years. Not only has it victimized hundreds of thousands of sites and potentially millions of users, but it’s also created a secondary market around its infrastructure. 

These secondary markets are likely experienced in affiliate marketing and fraud, and are buying up domains dropped by registrars they know have a lot of traffic coming to them. While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit. Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising. 

Site owners must maintain visibility into the code on their site—make sure it’s clean, updated, and checked on regularly. RiskIQ works with incredible partners to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data. However, this does not keep a website clean forever—dutiful vigilance and maintenance is the only way to prevent being victimized by Magecart and follow-up attacks by secondary markets. 

Share:

Connect with us
Featured Post

RiskIQ’s 2019 Evil Internet Minute: All the Cyber Threats Jammed Into 60 Seconds