According to cyber threat investigators, several Magecart groups hide their JavaScript skimmers, phishing domains and other malicious tools behind a secure hosting service called Media Land, according to a report from security firm RiskIQ. During their investigation, the researchers found that thousands of domains used for JavaScript skimmers, phishing domains and other malicious infrastructure have been registered with Media Land since 2018 using at least two email addresses and other aliases.
The use of these secure hosting services helps to keep the malicious infrastructure used by cybercriminal groups and fraud actors hidden from law enforcement agencies. Jordan Herman, a threat researcher at RiskIQ and one of the authors of the report, notes that these hosting services, along with other underground services, support a robust ecosystem that allows Magecart groups to thrive. "This is just another part of the skimming ecosystem that includes carding shops, skimmer kits, sales of access to compromised sites, etc. … There's a vibrant black market around skimming," Herman says.
The Media Land hosting service has a reputation for catering to various cybercriminal groups, hackers and fraudsters. A 2019 article by security expert, Brian Krebs noted the service's owner aggressively touted Media Land on various underground forums and the platform was used to host illicit tools that support ransomware and other malware attacks as well as domains that support phishing campaigns.
This is known as a supply chain attack. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT. Shopping carts are attractive targets because they collect payment information from customers: if your malware can tap into this data stream, you have a ready-made card collection tool. Almost all ecommerce sites that use shopping carts do not properly vet the code that is used with these third-party pieces, leads to an open door for hackers and thieves.
Magecart is the umbrella name for cybercriminals who plant JavaScript skimmers in the checkout functions of e-commerce sites to steal payment card data. These attacks have targeted hundreds of sites over the past three years. Herman notes that several Magecart groups appear to be using the Media Land hosting service at any given time. Researchers began investigating Media Land's activity while examining someone using the name "Julio Jaime," who has registered about 240 separate domains with Media Land. These domains were mainly used for phishing campaigns that appeared to target banking customers, such as the Bank of Ireland, as well as users of Microsoft Office 365.
The individual or group behind the Julio Jaime persona used the email address "medialand.regru@gmail[.]com" to help register these domains. This appears to be a reference to the Media Land hosting service. A second similar email address, "medialand.webnic@gmail[.]com," was also found, according to the report. "These emails reference a hosting service Media Land, that caters to criminal activity. It is unclear if there is a connection between the person(s) operating the emails and the person behind the hosting service," according to the report. "The Magecart domains registered by these emails have been connected to several different skimmers. It is also unclear whether these emails are directly controlled by actors carrying out skimming and phishing attacks or part of some third-party service."
As the researchers looked further into the domains Julio Jaime was registering with the Media Land service, they found several associated with JavaScript skimmers used by various Magecart groups. These include domains such as cdnpack[.]net and gstaticapi[.]com, according to the report.
The report noted that a skimmer called Grelos, which was revamped by its Magecart operators in November 2020, is also supported by a domain that was registered by Julio Jaime and hosted on the Media Land service. The researchers believe that the email addresses associated with the Julio Jaime persona have registered about 1,000 domains with Media Land since 2018, many of which spoof brands such as Facebook and Google. And while many of these domains host skimmers, there are phishing domains as well, which are not typically associated with Magecart attacks. "We're not clear if some of the phishing domains were used as an initial attack vector against websites that were later compromised with skimmers," Herman says. "That is certainly a possibility, but we don't know for certain. Most of the phishing domains were probably used just for phishing end users of various services."
Over the last several years, RiskIQ and other security firms have tracked thousands of attacks associated with various Magecart groups, including several high-profile incidents that have affected companies such as British Airways, Macy's, Wawa and Newegg.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
Comments