Mo Money, Mo Magecart

-

Online shopping sites are prime targets for cybercriminals. Large sites can process vast quantities of personal information and payment data, making them a high-value reward if successfully hijacked.

On 29 April, Malwarebytes Threat Intelligence shared a JavaScript web skimmer their team discovered on a compromised French Canadian online shoe store. The skimmer was injected into the online store's checkout page and used to siphon off payment data and billing info. Data entered into the site was exfiltrated to a domain in Russia.

I pivoted off this domain and looked at what was hosted on the same IP with a similar naming convention. This led to uncovered multiple other domains used for web skimming. I mapped the domains on VirusTotal graph here:

I then chucked these domains into URLscan and uncovered at least five other sites that have been compromised in these attacks:


Some additional pivoting uncovered a skimmer masquerading as a Bing Analytics domain that was injected into two sites and someone scanned the URL to the skimmer itself (h/t):

Analysis of the JavaScript web skimmer that is using standard base64 encoding to obfuscate the exfil domain:

Another JavaScript web skimmer with a different domain to exfiltrate data to:

I went ahead and copied the JavaScript from the Bing Analytics page and uploaded it to VirusTotal where it was detected as a JS card sniffer by eight AV engines:

On the same IP address as these skimmer domains was a Sage Pay phishing page targeting Polymax.co.uk:


Analysis

These Magecart attacks appear to be fairly limited in scope and have targeted shops running outdated software. These web skimming campaigns highlights importance of applying software patches, secure website administrator accounts (strong password and 2/MFA), and deploying a web application firewall (WAF).

The domains created by the Magecart threat actors - see IOCs below - highlight why organisations, like Google, should instead of "google-analytics.com" use "analytics.google.com" - granted they do now, but it is still leveraged in these campaigns. Watch out for variants of this.

These Magecart attacks present a considerable threat to any website with an online checkout system. The cybercriminals behind these campaigns are highly opportunistic and continuously scan the internet for vulnerable systems and run phishing attacks for admin credentials. Once card data has been stolen it can quickly make its way to the darknet and carding forums. Their value solely depends on their validity - which depreciates once a breach or skimmer is discovered.

Further research on Magecart:

IOCs

Magecart domains:
  • ssl-authorization[.]com
  • bing-analytics[.]com
  • bing-insert[.]com
  • cdn-jquery[.]com
  • google-analytisc[.]com
  • google-assignments[.]com
  • google-codes[.]com
  • google-ecommerce[.]com
  • google-gateway[.]com
  • google-money[.]com
  • google-sale[.]com
  • google-sanek[.]com
  • google-science[.]com
  • google-standard[.]com
  • google-tasks[.]com
  • google-thumbs[.]com
  • google-trusts[.]com
  • google-worldpay[.]com
  • google-worlds[.]com
  • paypal-assist[.]com
  • paypal-debit[.]com
  • paypal-merchant[.]com
  • paypal-merchants[.]com
  • paypal-worldpay[.]com
  • pay-sagepay[.]com
  • yahoo-manager[.]com
SagePay phishing domains:
  • pay-sagepay[.]com
  • sagepay-world[.]com
IPv4 host:
  • 82.148.31[.]214 (CC=RU ASN=AS50340 OOO Network of data-centers Selectel)
  • 8.209.70[.]103 (CC=DE ASN=45102 Alibaba (US) Technology Co., Ltd.)
  • 8.211.5[.]139 (CC=DE ASN=45102 Alibaba (US) Technology Co., Ltd.)
  • 47.254.170[.]245 (CC=DE ASN=45102 Alibaba (US) Technology Co., Ltd.)

Search Query
IP & Server page.ip:"8.211.5.139" AND page.server:"nginx/1.16.1"
IP & Server page.ip:"47.254.170.245" AND page.server:"nginx/1.16.1"
IP & Server page.ip:"8.209.70.103" AND page.server:"nginx/1.16.1"
IP & Server page.ip:"82.148.31.214" AND page.server:"nginx"
PTR page.ptr:belaychuk.ru

Sources:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more