Some Magecart attackers, an umbrella term used for similar groups specialized in web-based skimming attacks, are now using bulletproof hosting services. Recently, a group was observed hiding its JavaScript skimmers using bulletproof hosting service Media Land.

What has happened?

The use of bulletproof services is an important development for the Magecart skimming ecosystem that usually involves carding shops, skimmer kits, and sales of access to compromised sites, among others.
  • An individual named Julio Jaime had registered around 240 separate domains at Media Land. These domains were used in phishing campaigns targeting bank clients and Microsoft Office 365 users.
  • The Julio Jaime persona used two different email addresses to register the domains. These domains registered by these emails were connected to various web skimmers.
  • A skimmer identified as Grelos, which was reconstructed by the Magecart group in November 2020, is also being operated by a domain that was registered by Julio Jaime and hosted on the Media Land service.

Recent use of bulletproof-services 

  • According to a recent analysis, throughout 2020, bulletproof hosting service providers have continued to actively promote their services within the criminal underground forums, despite several arrests and seizures of malicious infrastructure by law enforcement.
  • Last month, the U.S., along with international partners, had shut down three bulletproof hosting services (insorg[.]org, safe-inet[.]com, and safe-inet[.]net) involved in criminal activities.


The use of bulletproof hosting services is likely to continue and more attacks could be discovered leveraging such services in the future. Due to wide deployment across various geographical regions, a full blockade of such services is impossible without the intervention of government agencies. However, organizations can protect themselves by blacklisting such hosting services using a firewall.

Cyware Publisher