As Old Magecart Skimming Domains Come Back Online, Same Cyber Threats Remain
September 19, 2019
SAN FRANCISCO – September 19, 2019 – RiskIQ, the global leader in digital attack surface management, today released research exposing the hijacking and reuse of decommissioned domains used in Magecart web-skimming attacks by a secondary market of cybercriminals.
Magecart has so radically changed the cyber threat landscape, victimizing hundreds of thousands of sites and millions of users, that other cybercriminals are building campaigns to monetize their handiwork. These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data. Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them up. Their goal is to use them for malvertising and other cyber threat activity, monetizing the traffic going to the breached websites on which these domains remain.
“The challenge with these domains is that many website owners were never aware of an active skimmer threat on their site in the first place,” says RiskIQ cyber threat researcher Yonathan Klijnsma. “And unfortunately, once these malicious domains come back online, bad actors can pick up where the original skimmer left off with the intention of monetization.”
Key takeaways include:
- The lifecycle of a malicious domain
- How bad actors take advantage of old Magecart domains
- How to read subtle WHOIS changes that indicate a takeover
- Tips for site owners to maintain visibility into the code on their site
These secondary actors are likely experienced in affiliate marketing and fraud and are buying up domains they know lead to a lot of traffic. While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites. In the future, cyber threat actors may also engage in other schemes and cyber threat activity far more malevolent than advertising.
Because of RiskIQ's internet-scale visibility and ability to view a business's internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.
To download the full report, visit: https://www.riskiq.com/blog/labs/magecart-reused-domains/
RiskIQ is the leader in digital attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of cyber threats associated with an organization’s digital presence. With more than 75 percent of cyber attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of cyber security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.
© 2019 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.
Front Lines Media