Old Magecart Domains Come Back To Life

Hacking groups that make up Magecart are effective and persistent at stealing customer and payment card data through skimmers. Now old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information

Shopping carts are attractive targets because they collect payment information from customers. The Magecart hacker often substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware. 

Magecart is known to have been active since 2016 and is quite prolific. Now RiskIQ has just released research Report that exposes the hijacking and reuse of decommissioned domains used in Magecart web-skimming attacks by a secondary market of cybercriminals. 

This Report explains how Magecart has so radically changed the threat landscape, victimising hundreds of thousands of sites and millions of users, that other cyber-criminals are now building campaigns to monetise their handiwork. These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data. Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them up. 

Their goal is to use them for malvertising and other threat activity, monetising the traffic going to the breached websites on which these domains remain.

These secondary actors are likely experienced in affiliate marketing and fraud and are buying up domains they know lead to a lot of traffic. While ads themselves aren't malicious, they are exploiting the vulnerabilities in websites. In the future, threat actors may also engage in other schemes and threat activity far more malevolent than advertising.

In  the recent British Airways hack, Magecart tailored the attack to the specific system, according to the RiskIQ report. 
“This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” the report’s authors wrote.

Magecart is a global phenomenon that’s redefined cyber-security over the past four years. Not only has it victimised hundreds of thousands of sites and potentially millions of users, but it’s also created a secondary market around its infrastructure. 

These secondary markets are likely experienced in affiliate marketing and fraud, and are buying up domains dropped by registrars they know have a lot of traffic coming to them. While the ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit. Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising. 

Site owners must maintain visibility into the code on their site, make sure it’s clean, updated, and checked on regularly. RiskIQ works to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data. However, this does not keep a website clean forever, dutiful vigilance and maintenance is the only way to prevent being victimised by Magecart and follow-up attacks by secondary markets. 

Google:         CSO Online:          RiskIQ:

You Mght Also Read:

Why Is Retail Cyber Security So Weak?:

Banks And Retailers Track How You Type, Swipe And Tap:

 

« Effective Cybersecurity Requires Both Cyber Training & Insurance Cover
Huawei Will Sell Its 5G Know-How »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

PubNub

PubNub

PubNub enables developers to build secure realtime Mobile, Web, and IoT Apps.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

CERT Syria

CERT Syria

CERT Syria is the national Computer Emergency Response Team for Syria.

Cyber Future Foundation (CFF)

Cyber Future Foundation (CFF)

CFF was established to create a cyberspace where digital commerce and innovation can thrive based on trust and respect to individual privacy.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

Data Protection People

Data Protection People

Data Protection People are specialists in Data Privacy, Governance, and Information Security.

Farsight Security

Farsight Security

Farsight Security provides the world’s largest real-time actionable threat intelligence on how the Internet is changing.

Wiser Market

Wiser Market

Wiser Market is a leading company in global online brand protection services, intellectual property protection, anti-Counterfeit & trademark infringements.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

HancomWITH

HancomWITH

Hancomwith is an information security company. We provide optimized blockchain solutions in areas including next-generation authentication, security and digital asset transaction.

Schweitzer Engineering Laboratories (SEL)

Schweitzer Engineering Laboratories (SEL)

SEL specializes in creating digital products and systems that protect, control, and automate power systems around the world.

Foretrace

Foretrace

Foretrace aims to prevent, assess, and contain the exposure of customer accounts, domains, and systems to malicious actors.

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

Surfshark

Surfshark

Surfshark is a cybersecurity company focused on developing humanized privacy & security protection solutions to secure people's digital lives.

LogicMonitor

LogicMonitor

LogicMonitor provides SaaS-based IT infrastructure monitoring services for on-premises and multi-cloud environments.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.