Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Other Attackers Reuse Old Magecart Domains: Report

Researchers Say Widespread Web-Skimming Attacks Spawn Secondary Cybercrime Market
Other Attackers Reuse Old Magecart Domains: Report

Decommissioned domains that were part of the pervasive Magecart web-skimming campaigns are being put to use by other cybercriminals who are re-activating them for other scams, including malvertising, according to researchers at RiskIQ, a San Francisco-based cybersecurity firm.

See Also: How to Build Your Cyber Recovery Playbook

The success of the Magecart credit card attacks, which victimized hundreds of thousands of sites, millions of users and such major corporations as British Airways, Forbes, Ticketmaster and Newegg over the last 18 months, has led more cybercriminals to leverage Magecart’s tools, the researchers note in a report released Thursday.

Magecart appears to be a loose association of about a dozen different groups. Its campaigns have been well-documented by RiskIQ and other cybersecurity firms.

In its report, RiskIQ has outlined the indications of compromise associated with the attacks, including the malicious domains that the threat actors used to “inject web-skimming JavaScript into browsers or as a destination for the skimmed payment information,” the report states.

Many of those malicious domains have been permanently sinkholed. But others have been decommissioned by the registrar, held for a while and then put back into the pool of available domains.

"Here's the catch: When these domains come back online, they retain their call-outs to malicious domains placed on breached websites by attackers, which means they also retain their value to threat actors," the report says. "Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns."

It's a new twist on a common trend, says Yonathan Klijnsma, a threat researcher at RiskIQ and author of the report.

"The concept of registering domains that get dropped is nothing new," Klijnsma tells Information Security Media Group. "For a fairly large portion of 'well-named' domains, these are bought up by domainers who simply do buy-sell trading of domains. What these guys are doing with taking over active injections on dead domains is unique. They’re not redirecting to something bad or monetizing a landing page; they're actively making use of the old injected script files."

In the report, Klijnsma calls Magecart “a global phenomenon that’s redefined cybersecurity over the past four years,” not only because of the breadth of the attacks but also because of the secondary market created around its infrastructure.

Widespread 'Formjacking'

The groups behind Magecart have a long reach, according to RiskIQ and other researchers.

In August, cybersecurity firm Arxan published a report that linked a series of attacks to the group, saying malicious Javascript code was injected into more than 80 e-commerce websites with the goal of stealing credit card and other user data. The sites were hit by "formjacking" attacks, in which the JavaScript code - also known as Javascript skimmers, JavaScript sniffers or JS sniffers - was used to skim the payment and credit card data from payment pages and then send the information to the cybercriminals.

The Magecart hackers injected the malicious code into an e-commerce checkout form to steal the credit and payment card data and send it to an offsite server they control, a report earlier this month by Arxan and research firm Aite Group noted. The credit card numbers and other customer data were then sold on dark net sites and used to buy high-cost goods in the U.S. Those goods were then resold in other markets, the report finds.

This kind of attack is common, as the widespread use by Magecart groups shows. Arxan and Aite researchers say that while in-app code obfuscation and tamper detection can prevent formjacking, a huge attack surface is being created by e-commerce web applications that aren't secured. Another report by Symantec found that almost 4,800 websites are hit with formjacking attacks every month.

A key problem is that many website owners never know that an active skimmer is hitting their site, according to RiskIQ. On average, a Magecart skimmer stays on the site for more than two months, with some staying indefinitely. The entire lifecycle of the malicious domains - from loading malicious JavaScript into an infected website, going offline and returning online - can be completed without the website owner noticing, the security firm says.

"Unfortunately, once these malicious domains come back online, websites will still load in scripts from them," the RiskIQ report says. "Bad guys abuse this by loading up new JavaScript files on the malicious domains they buy up, effectively taking over where the skimmers left off. They do this for monetization through, for example, free advertisement space."

Flipping the Script

RiskIQ noted that in March 2017, a Magecart attacker, who began creating new skimming infrastructure, registered a domain - - for delivering the malicious JavaScript. It remained active and under the attacker’s control until it was sinkholed in September 2018 and stayed sinkholed until the registrar lets it expire. Just one month later, however, another bad actor picked up the domain with subtle changes, according to the report.

Bad actors seek out the Magecart domains because they know they remain infected with malicious code, according to RiskIQ.

"In the case of Magecart domains, attackers look to return specific JavaScript for the exact call the original Magecart actors made to grab their skimmer,” RiskIQ reports. “This call is not a call-out to the main website; it’s asking for one particular JavaScript resource that the new attackers put back online.”

For example, the original attackers were skimming for payment data by loading skimmer script from The bad actors who picked up the domain later also served that JavaScript file path because they knew its purpose and how they could monetize it, according to RiskIQ.

An example of the malicious call-out when the skimmer on the domain was live (Image: RiskIQ)

The coding changed with the new domain owner. The Magecart hackers tried to take any input fields on the page and targeted preconfigured keywords like "check out" or "payment." The new owners created JavaScript for the same requested path, but they injected additional page content because their goal was malvertising rather than skimming credit card information. RiskIQ says.

New code (Image: RiskIQ)

"These guys are simply pushing in ads, but others can resume where the previous actors left off and continue skimming sensitive information or take it another step further and distribute malware," RiskIQ's Klijnsma says. "It gives the attackers access to visitor sessions in which the bad guys can do anything they want."

While RiskIQ and other cybersecurity firms look to interrupt Magecart attacks by taking down the infrastructure, the report says website domain owners need to ensure that the code on their sites is clean, updated and checked on a regular basis.

About the Author

Jeffrey Burt

Jeffrey Burt

Contributing Editor

Burt is a freelance writer based in Massachusetts. He has been covering the IT industry for almost two decades, including a long stint as a writer and editor for eWEEK. Over the past several years, he also has written and edited for The Next Platform, Channel Partners, Channel Futures, Security Now, Data Center Knowledge, ITPro Today and Channelnomics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.