Cybercrime as-a-service , Fraud Management & Cybercrime

Magecart Groups Hide Behind 'Bulletproof' Hosting Service

Researchers Find Groups Hiding JavaScript Skimmers and Phishing Pages
Magecart Groups Hide Behind 'Bulletproof' Hosting Service

Several Magecart groups hide their JavaScript skimmers, phishing domains and other malicious tools behind a "bulletproof" hosting service called Media Land, according to a report from security firm RiskIQ.

During their investigation, the RiskIQ researchers found that thousands of domains used for JavaScript skimmers, phishing domains and other malicious infrastructure have been registered with Media Land since 2018 using at least two email addresses and other aliases.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The use of these so-called bulletproof hosting services helps to keep the malicious infrastructure used by cybercriminal groups and fraudsters hidden from law enforcement agencies, the report notes.

Jordan Herman, a threat researcher at RiskIQ and one of the authors of the report, notes that bulletproof hosting services, along with other underground services, support a robust ecosystem that allows Magecart groups to thrive.

"This is just another part of the skimming ecosystem that includes carding shops, skimmer kits, sales of access to compromised sites, etc. … There's a vibrant black market around skimming," Herman says.

The Media Land hosting service has a reputation for catering to various cybercriminal groups, hackers and fraudsters. A 2019 article by security blogger Brian Krebs noted the service's owner aggressively touted Media Land on various underground forums and the platform was used to host illicit tools that support ransomware and other malware attacks as well as domains that support phishing campaigns.

Magecart is the umbrella name for cybercriminals who plant JavaScript skimmers in the checkout functions of e-commerce sites to steal payment card data. These attacks have targeted hundreds of sites over the past three years (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

Herman notes that several Magecart groups appear to be using the Media Land hosting service at any given time.

Hiding Skimmers

The RiskIQ researchers began investigating Media Land's activity while examining someone using the name "Julio Jaime," who has registered about 240 separate domains with Media Land. These domains were mainly used for phishing campaigns that appeared to target banking customers, such as the Bank of Ireland, as well as users of Microsoft Office 365.

The individual or group behind the Julio Jaime persona used the email address "medialand.regru@gmail[.]com" to help register these domains. This appears to be a reference to the Media Land hosting service. A second similar email address, "medialand.webnic@gmail[.]com," was also found, according to the report.

"These emails reference a hosting service - Media Land - that caters to criminal activity. It is unclear if there is a connection between the person(s) operating the emails and the person behind the hosting service," according to the RiskIQ report. "The Magecart domains registered by these emails have been connected to several different skimmers. It is also unclear whether these emails are directly controlled by actors carrying out skimming and phishing attacks or part of some third-party service."

As the researchers looked further into the domains Julio Jaime was registering with the Media Land service, they found several associated with JavaScript skimmers used by various Magecart groups. These include domains such as cdnpack[.]net and gstaticapi[.]com, according to the report.

Also, the RiskIQ researchers noted that a skimmer called Grelos, which was revamped by its Magecart operators in November 2020, is also supported by a domain that was registered by Julio Jaime and hosted on the Media Land service (see: Grelos Skimmer Variant Co-Opts Magecart Infrastructure).

How the Grelos skimmer is connected to Media Land (Source: RiskIQ)

The RiskIQ researchers believe that the email addresses associated with the Julio Jaime persona have registered about 1,000 domains with Media Land since 2018, many of which spoof brands such as Facebook and Google. And while many of these domains host skimmers, there are phishing domains as well, which are not typically associated with Magecart attacks.

"We're not clear if some of the phishing domains were used as an initial attack vector against websites that were later compromised with skimmers," Herman says. "That is certainly a possibility, but we don't know for certain. Most of the phishing domains were probably used just for phishing end users of various services."

Magecart Activity

Over the last several years, RiskIQ and other security firms have tracked thousands of attacks associated with various Magecart groups, including several high-profile incidents that have affected companies such as British Airways, Macy's, Wawa and Newegg.

In October 2020, Britain's Information Commissioner's Office announced that it would fine British Airways about $26 million over its security practices that led to the 2018 Magecart breach (see: British Airways' GDPR Fine Dramatically Reduced).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.