Old Magecart domains are reused in new malvertising campaigns, researchers say

• Malicious domains that have been used in previous Magecart attacks are being purchased by bad actors for various malicious purposes including ad fraud and malvertising campaigns.
• The entire lifecycle of these malicious domains being used in the Magecart campaign, getting sinkholed, and then coming back online, can occur without the knowledge of the website owner.

Researchers from RiskIQ have noted that malicious domains that have been used in old Magecart attack campaigns are being repurchased for use in new malvertising campaigns.

A detailed picture

Magecart attackers have been using malicious domains to inject web-skimming JavaScript into e-commerce websites and harvest customers’ payment information.

• These malicious domains have been sinkholed and seized.
• However, some of these malicious domains are released back into the pool of available domains.
• Such domains are being purchased by bad actors for various malicious purposes including ad fraud and malvertising campaigns.

The entire lifecycle of these malicious domains being used in the Magecart campaign, getting sinkholed, and then coming back online, can occur without the knowledge of the website owner.

“Unfortunately, once these malicious domains come back online, websites will still load in scripts from them. Bad guys abuse this by loading up new JavaScript files on the malicious domains they buy up, effectively taking over where the skimmers left off. They do this for monetization through, for example, free advertisement space,” researchers said in a blog.

An example

RiskIQ research team observed a Magecart threat actor’s domain lifecycle. The threat actor registered a domain in 2017 to load malicious JavaScript onto infected websites. The domain was sinkholed in 2018, and a month later an advertiser repurchased the domain.

The exact call once used to grab skimmer code was now set to work for use in monetization. Instead of reloading the path with information-stealing malicious code, the new owner of the domain injected an advertisement page for an ad fraud campaign.

“Usually, a domain bought up for parking monetization will respond to loading up the entire website directly. In the case of Magecart domains, attackers look to return specific JavaScript for the exact call the original Magecart actors made to grab their skimmer. This call is not a call-out to the main website; it’s asking for one particular JavaScript resource that the new attackers put back online,” researchers described.