- Malicious domains that have been used in previous Magecart attacks are being purchased by bad actors for various malicious purposes including ad fraud and malvertising campaigns.
- The entire lifecycle of these malicious domains being used in the Magecart campaign, getting sinkholed, and then coming back online, can occur without the knowledge of the website owner.
Researchers from RiskIQ have noted that malicious domains that have been used in old Magecart attack campaigns are being repurchased for use in new malvertising campaigns.
A detailed picture
- These malicious domains have been sinkholed and seized.
- However, some of these malicious domains are released back into the pool of available domains.
- Such domains are being purchased by bad actors for various malicious purposes including ad fraud and malvertising campaigns.
The entire lifecycle of these malicious domains being used in the Magecart campaign, getting sinkholed, and then coming back online, can occur without the knowledge of the website owner.
The exact call once used to grab skimmer code was now set to work for use in monetization. Instead of reloading the path with information-stealing malicious code, the new owner of the domain injected an advertisement page for an ad fraud campaign.