Old Magecart Domains Come Back To Life

Hacking groups that make up Magecart are effective and persistent at stealing customer and payment card data through skimmers. Now old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information

Shopping carts are attractive targets because they collect payment information from customers. The Magecart hacker often substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware. 

Magecart is known to have been active since 2016 and is quite prolific. Now RiskIQ has just released research Report that exposes the hijacking and reuse of decommissioned domains used in Magecart web-skimming attacks by a secondary market of cybercriminals. 

This Report explains how Magecart has so radically changed the threat landscape, victimising hundreds of thousands of sites and millions of users, that other cyber-criminals are now building campaigns to monetise their handiwork. These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data. Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them up. 

Their goal is to use them for malvertising and other threat activity, monetising the traffic going to the breached websites on which these domains remain.

These secondary actors are likely experienced in affiliate marketing and fraud and are buying up domains they know lead to a lot of traffic. While ads themselves aren't malicious, they are exploiting the vulnerabilities in websites. In the future, threat actors may also engage in other schemes and threat activity far more malevolent than advertising.

In  the recent British Airways hack, Magecart tailored the attack to the specific system, according to the RiskIQ report. 
“This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” the report’s authors wrote.

Magecart is a global phenomenon that’s redefined cyber-security over the past four years. Not only has it victimised hundreds of thousands of sites and potentially millions of users, but it’s also created a secondary market around its infrastructure. 

These secondary markets are likely experienced in affiliate marketing and fraud, and are buying up domains dropped by registrars they know have a lot of traffic coming to them. While the ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit. Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising. 

Site owners must maintain visibility into the code on their site, make sure it’s clean, updated, and checked on regularly. RiskIQ works to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data. However, this does not keep a website clean forever, dutiful vigilance and maintenance is the only way to prevent being victimised by Magecart and follow-up attacks by secondary markets. 

Google:         CSO Online:          RiskIQ:

You Mght Also Read:

Why Is Retail Cyber Security So Weak?:

Banks And Retailers Track How You Type, Swipe And Tap:

 

« Effective Cybersecurity Requires Both Cyber Training & Insurance Cover
Huawei Will Sell Its 5G Know-How »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

AON

AON

Aon is a leading global provider of risk management (including cyber), insurance and reinsurance brokerage, human resources solutions and outsourcing services.

Steptoe & Johnson

Steptoe & Johnson

Steptoe is an international law firm with offices in the USA, Europe and China. Practice areas include Cybersecurity, Privacy & National Security.

Adlink Technology

Adlink Technology

ADLINK is a leading provider of embedded computing products and services for applications including IoT and industrial automation.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance combines insurance expertise with cybersecurity and data talent to deliver clear, effective solutions to protect you for the cyberrisks of today—and tomorrow.

Cyber Intelligence House (CIH)

Cyber Intelligence House (CIH)

Cyber Intelligence House provides risk exposure solutions for a wide range of audiences including companies, government agencies, regulators, investors, law enforcement and consumers.

Mitnick Security

Mitnick Security

Mitnick Security is a leading global provider of information security consulting and training services.

FINX Capital

FINX Capital

FINX strives to solve the cybersecurity issues with its proprietary technolog, FINX SHIELD, by utilizing big data, blockchain combined with artificial intelligence.

CoreStack

CoreStack

CoreStack helps enterprises overcome cloud challenges such as ever growing security risks, stringent regulatory compliance needs and operational complexities.

AirDroid Business

AirDroid Business

AirDroid Business is an efficient mobile device management solution for Android devices, helping businesses to remotely control and access devices in large quantities using a centralized approach.

ID R&D

ID R&D

ID R&D is an award-winning provider of AI-based facial liveness, document liveness, and voice biometrics.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Kodem Security

Kodem Security

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

Bulletproof Solutions

Bulletproof Solutions

Bulletproof provides IT expert support, services, and guidance to businesses small and large as they grow and adapt to today’s complex IT, cybersecurity, and compliance needs.

Seers

Seers

Seers is the world’s leading privacy & consent management platform for companies worldwide. Trusted by over 50,000+ businesses.