Other Attackers Reuse Old Magecart Domains: ReportResearchers Say Widespread Web-Skimming Attacks Spawn Secondary Cybercrime Market
Decommissioned domains that were part of the pervasive Magecart web-skimming campaigns are being put to use by other cybercriminals who are re-activating them for other scams, including malvertising, according to researchers at RiskIQ, a San Francisco-based cybersecurity firm.
The success of the Magecart credit card attacks, which victimized hundreds of thousands of sites, millions of users and such major corporations as British Airways, Forbes, Ticketmaster and Newegg over the last 18 months, has led more cybercriminals to leverage Magecart’s tools, the researchers note in a report released Thursday.
Magecart appears to be a loose association of about a dozen different groups. Its campaigns have been well-documented by RiskIQ and other cybersecurity firms.
Many of those malicious domains have been permanently sinkholed. But others have been decommissioned by the registrar, held for a while and then put back into the pool of available domains.
"Here's the catch: When these domains come back online, they retain their call-outs to malicious domains placed on breached websites by attackers, which means they also retain their value to threat actors," the report says. "Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns."
It's a new twist on a common trend, says Yonathan Klijnsma, a threat researcher at RiskIQ and author of the report.
"The concept of registering domains that get dropped is nothing new," Klijnsma tells Information Security Media Group. "For a fairly large portion of 'well-named' domains, these are bought up by domainers who simply do buy-sell trading of domains. What these guys are doing with taking over active injections on dead domains is unique. They’re not redirecting to something bad or monetizing a landing page; they're actively making use of the old injected script files."
In the report, Klijnsma calls Magecart “a global phenomenon that’s redefined cybersecurity over the past four years,” not only because of the breadth of the attacks but also because of the secondary market created around its infrastructure.
The groups behind Magecart have a long reach, according to RiskIQ and other researchers.
The Magecart hackers injected the malicious code into an e-commerce checkout form to steal the credit and payment card data and send it to an offsite server they control, a report earlier this month by Arxan and research firm Aite Group noted. The credit card numbers and other customer data were then sold on dark net sites and used to buy high-cost goods in the U.S. Those goods were then resold in other markets, the report finds.
This kind of attack is common, as the widespread use by Magecart groups shows. Arxan and Aite researchers say that while in-app code obfuscation and tamper detection can prevent formjacking, a huge attack surface is being created by e-commerce web applications that aren't secured. Another report by Symantec found that almost 4,800 websites are hit with formjacking attacks every month.
Flipping the Script
Bad actors seek out the Magecart domains because they know they remain infected with malicious code, according to RiskIQ.
"These guys are simply pushing in ads, but others can resume where the previous actors left off and continue skimming sensitive information or take it another step further and distribute malware," RiskIQ's Klijnsma says. "It gives the attackers access to visitor sessions in which the bad guys can do anything they want."
While RiskIQ and other cybersecurity firms look to interrupt Magecart attacks by taking down the infrastructure, the report says website domain owners need to ensure that the code on their sites is clean, updated and checked on a regular basis.