Researchers from RiskIQ have noted that malicious domains that have been used in old Magecart attack campaigns are being repurchased for use in new malvertising campaigns.
A detailed picture
The entire lifecycle of these malicious domains being used in the Magecart campaign, getting sinkholed, and then coming back online, can occur without the knowledge of the website owner.
The exact call once used to grab skimmer code was now set to work for use in monetization. Instead of reloading the path with information-stealing malicious code, the new owner of the domain injected an advertisement page for an ad fraud campaign.