The use of these so-called bulletproof hosting services helps to keep the malicious infrastructure used by cybercriminal groups and fraudsters hidden from law enforcement agencies, the report notes.
Jordan Herman, a threat researcher at RiskIQ and one of the authors of the report, notes that bulletproof hosting services, along with other underground services, support a robust ecosystem that allows Magecart groups to thrive.
"This is just another part of the skimming ecosystem that includes carding shops, skimmer kits, sales of access to compromised sites, etc. … There's a vibrant black market around skimming," Herman says.
The Media Land hosting service has a reputation for catering to various cybercriminal groups, hackers and fraudsters. A 2019 article by security blogger Brian Krebs noted the service's owner aggressively touted Media Land on various underground forums and the platform was used to host illicit tools that support ransomware and other malware attacks as well as domains that support phishing campaigns.
Herman notes that several Magecart groups appear to be using the Media Land hosting service at any given time.
The RiskIQ researchers began investigating Media Land's activity while examining someone using the name "Julio Jaime," who has registered about 240 separate domains with Media Land. These domains were mainly used for phishing campaigns that appeared to target banking customers, such as the Bank of Ireland, as well as users of Microsoft Office 365.
The individual or group behind the Julio Jaime persona used the email address "medialand.regru@gmail[.]com" to help register these domains. This appears to be a reference to the Media Land hosting service. A second similar email address, "medialand.webnic@gmail[.]com," was also found, according to the report.
"These emails reference a hosting service - Media Land - that caters to criminal activity. It is unclear if there is a connection between the person(s) operating the emails and the person behind the hosting service," according to the RiskIQ report. "The Magecart domains registered by these emails have been connected to several different skimmers. It is also unclear whether these emails are directly controlled by actors carrying out skimming and phishing attacks or part of some third-party service."
Also, the RiskIQ researchers noted that a skimmer called Grelos, which was revamped by its Magecart operators in November 2020, is also supported by a domain that was registered by Julio Jaime and hosted on the Media Land service (see: Grelos Skimmer Variant Co-Opts Magecart Infrastructure).
The RiskIQ researchers believe that the email addresses associated with the Julio Jaime persona have registered about 1,000 domains with Media Land since 2018, many of which spoof brands such as Facebook and Google. And while many of these domains host skimmers, there are phishing domains as well, which are not typically associated with Magecart attacks.
"We're not clear if some of the phishing domains were used as an initial attack vector against websites that were later compromised with skimmers," Herman says. "That is certainly a possibility, but we don't know for certain. Most of the phishing domains were probably used just for phishing end users of various services."
Over the last several years, RiskIQ and other security firms have tracked thousands of attacks associated with various Magecart groups, including several high-profile incidents that have affected companies such as British Airways, Macy's, Wawa and Newegg.
In October 2020, Britain's Information Commissioner's Office announced that it would fine British Airways about $26 million over its security practices that led to the 2018 Magecart breach (see: British Airways' GDPR Fine Dramatically Reduced).