Magecart has so radically changed the threat landscape, victimizing hundreds of thousands of sites and millions of users, that other cybercriminals are building campaigns to monetize their handiwork, a RiskIQ research reveals.
These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data.
Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them up. Their goal is to use them for malvertising and other threat activity, monetizing the traffic going to the breached websites on which these domains remain.
This lack of visibility means a lifecycle of a malicious domain embedded on a website—web-skimming to deactivation to reactivation to use in another type of threat activity—can pass without the website owner having any inclination that something is wrong.
“The challenge with these domains is that many website owners were never aware of an active skimmer threat on their site in the first place,” says RiskIQ threat researcher Yonathan Klijnsma. “And unfortunately, once these malicious domains come back online, bad actors can pick up where the original skimmer left off with the intention of monetization.”
Key takeaways include:
- The lifecycle of a malicious domain
- How bad actors take advantage of old Magecart domains
- How to read subtle WHOIS changes that indicate a takeover
- Tips for site owners to maintain visibility into the code on their site
These secondary actors are likely experienced in affiliate marketing and fraud and are buying up domains they know lead to a lot of traffic. While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites. In the future, threat actors may also engage in other schemes and threat activity far more malevolent than advertising.