Gorodenkoff - stock.adobe.com
Warzone bulletproof hosts protecting Magecart group
Security researchers have discovered a Magecart group operating with impunity using bulletproof hosting services, including one in battle-scarred Ukraine
Researchers at security firm Malwarebytes have discovered a credit card skimming group operating with impunity from law enforcement and actions from the security community.
Credit card data thieves, commonly known as Magecart groups, typically use JavaScript code injected into compromised e-commerce sites to harvest data from shoppers.
During an investigation into one campaign, the researchers noticed the threat actors had taken some additional precautions to avoid disruption or takedowns.
They found that to operate outside the reach of law enforcement, the group is using servers hosted in the city of Luhansk in Ukraine to receive credit card details and other information so that the cards can be processed and eventually resold in underground forums.
The servers are hosted by opportunists among those taking advantage of the chaos in the region to offer bulletproof hosting services for “grey projects” safe from the reach of European and American law enforcement, the researchers wrote in a blog post. “A host ripe with malware, skimmers, phishing domains,” they said.
The corresponding set of servers is hosted in Iceland by another bulletproof hosting provider that claims it will “always go the extra mile to protect our customers’ civil rights, including the freedom of expression, the freedom of the press, the right to anonymity and privacy”.
The group injects its skimmer code into compromised Magento sites disguised as Google Analytics using the domain google-anaiytic[.]com.
Each compromised online store has its own skimmer located in a specific directory named after the site’s domain name.
The researchers found evidence that the group had usernames and passwords needed to log in to hundreds of compromised Magento sites that had been injected with the group’s skimmer code.
They also found backdoor coded in PHP script language that the researchers believe is being used on those compromised sites.
Inspection of the “exfiltration gate” used to send the stolen data back to the criminals revealed that it was another Google lookalike (google.ssl.lnfo[.]cc) and that the stolen data is sent to the exfiltration server via a HTTP GET request.
The data is then received as a Javascript Object Notation (JSON) file where each field contains the victim’s personal information in clear text.
The primary target, the researchers said, is the credit card information that can be immediately monetised, but in this case the skimmer is also collecting data such as names, addresses, phone numbers, and emails, which they note are extremely valuable for identity theft or spear phishing.
The researchers note that bulletproof hosting services have long been a staple of cyber crime. “For instance, the infamous Russian Business Network (RBN) ran a variety of malicious activities for a number of years,” they said.
Due to the nature of such hosts, the researcher said takedown operations are difficult: “It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.”
To protect against these threats, Malwarebytes is blocking all the domains and IP addresses associated with skimmers and malware for customers. The researchers said they have also reported all compromised Magento e-commerce sites to their respective registrars or hosts.
Read more about bulletproof hosting
- The GozNym network exemplified the concept of cyber crime as a service, with different criminal services such as bulletproof hosters, money mule networks, crypters, spammers, coders, organisers and technical support.
- Expert Nick Lewis explains what bulletproof hosting is and how enterprises can best defend against malware that uses it as part of its attack scheme.
- More than a dozen US-based web servers are operating as the malware equivalent of an Amazon fulfilment centre to target businesses, hosted on BuyVM datacentres owned by FranTech Solutions, a bulletproof hosting provider.