Sinkholed Magecart domains previously used for payment card skimmers could pose new threats such as ad fraud and malvertising.
RiskIQ, a San Francisco-based threat intelligence vendor, discovered a handful of sinkholed domains formerly used by Magecart cybercriminals have been subtly purchased and re-registered by unknown groups. Instead of using these old Magecart domains for payment card skimming, the threat actors are using them as traffic sources for advertising schemes.
In a blog post, Yonathan Klijnsma, head of threat research at RiskIQ, explained that registrars often put domains up for sale again after they have been taken down due to malicious activity.
“Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by attackers, which means they also retain their value to threat actors,” Klijnsma wrote in the blog post.
A “secondary market” has emerged around Magecart domains where other threat actors use the domains, which are still receiving significant traffic after being taken down, to run advertisements. Klijnsma told SearchSecurity it’s common for a formerly malicious domain with an attractive or common name to be purchased by domain name speculators for advertising purposes.
“They buy it up and the main domain gets a parking page and the parking page will have ads,” he said. “And that’s their way of monetizing it in a white hat sort of way.”
Klijnsma said the new threat actors can’t “play the ignorance card”; they wouldn’t use the exact same file path as the Magecart skimmers and then log the traffic to the domains unless they knew what the domains had been used for previously and were aware of how to monetize them, he said.
“They have some knowledge of what’s going on, which is curious and illegitimate in our eyes,” Klijnsma said.
Potential threats on old domains
Klijnsma said he found the secondary market for Magecart domains accidentally. He discovered RiskIQ’s platform had flagged a handful of the old domains by crawling the pages, but it hadn’t flagged any skimmer activity, which prompted him to take a closer look at one of the domains that had been sinkholed — cdnanalytics.net.
“I noticed the injection of ads in the page, which is definitely not a skimmer,” he said. “After that, looking at the actual domain, I noticed it was re-registered.”
The re-registering of the domain was done in a “very subtle way” where the new threat actors used the same registrar as the Magecart cybercriminals; the only change in the WhoIs data for the domain was the name server. Klijnsma said it’s unclear why the new owners used the same registrars for all of the Magecart domains but he said he believes it was “purposeful.”
Klijnsma also said he noticed the advertising script contained another domain — cleverjump.org — and an analysis of host pairs between the cleverjump.org script revealed “several hundred domains” for 2019 alone, including several old Magecart domains.
“If you look at those other domains, you’ll find a lot of attractive, nicely-made domain names,” he said. “I think they just keep buying this stuff up to deliver ads and get whatever traffic they can get.”
Klijnsma said the Magecart domains present a legal and ethical gray area. While the new threat actors are using malicious Magecart code and monetizing illegitimate traffic for ad fraud, there are currently no signs of malvertising or other direct threats to users on the sites. The ads being served on the domains are thus far legitimate and are being served from several ad networks, which RiskIQ declined to name.
While RiskIQ flagged the Magecart domains, the company won’t blacklist them again unless it detects skimmers, malware or other malicious activity on them. However, Klijnsma urged caution in his blog post.
“While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit,” he wrote. “Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising.”