Press Releases

As Old Magecart Skimming Domains Come Back Online, Same Cyber Threats Remain

SAN FRANCISCO – September 19, 2019RiskIQ, the global leader in digital attack surface management, today released research exposing the hijacking and reuse of decommissioned domains used in Magecart web-skimming attacks by a secondary market of cybercriminals.

Magecart has so radically changed the cyber threat landscape, victimizing hundreds of thousands of sites and millions of users, that other cybercriminals are building campaigns to monetize their handiwork. These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data. Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them up. Their goal is to use them for malvertising and other cyber threat activity, monetizing the traffic going to the breached websites on which these domains remain.

Both Magecart and these secondary markets are taking advantage of the fact that website owners have little visibility into the JavaScript running on their website. RiskIQ data shows the average Magecart skimmer stays on a site for over two months, but many remain there indefinitely. This lack of visibility means a lifecycle of a malicious domain embedded on a website—web-skimming to deactivation to reactivation to use in another type of cyber threat activity—can pass without the website owner having any inclination that something is wrong.

“The challenge with these domains is that many website owners were never aware of an active skimmer threat on their site in the first place,” says RiskIQ cyber threat researcher Yonathan Klijnsma. “And unfortunately, once these malicious domains come back online, bad actors can pick up where the original skimmer left off with the intention of monetization.”

Key takeaways include:

  • The lifecycle of a malicious domain
  • How bad actors take advantage of old Magecart domains
  • How bad actors hijack JavaScript injections for monetization
  • How to read subtle WHOIS changes that indicate a takeover
  • Tips for site owners to maintain visibility into the code on their site

These secondary actors are likely experienced in affiliate marketing and fraud and are buying up domains they know lead to a lot of traffic. While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites. In the future, cyber threat actors may also engage in other schemes and cyber threat activity far more malevolent than advertising.

Because of RiskIQ's internet-scale visibility and ability to view a business's internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.

To download the full report, visit:

About RiskIQ
RiskIQ is the leader in digital attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of cyber threats associated with an organization’s digital presence. With more than 75 percent of cyber attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of cyber security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.

Visit or follow us on Twitter. Try RiskIQ Community Edition for free by visiting

© 2019 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.


Holly Hitchcock
Front Lines Media