Magecart Attackers Take Over Expired Domain to Deliver Web Skimming Scripts

Cybercriminals have been using sophisticated methods to target and exploit vulnerable websites, and the latest trend is to take over expired domains to deliver web skimming scripts. In this attack, attackers have acquired an expired domain that used to host a popular JavaScript library and used it to inject malicious web skimming scripts into a number of e-commerce sites.

The attackers acquired the domain tracker.web-cockpit[.]jp, which belonged to a free web marketing and analytics service that was discontinued in December 2014. The original JavaScript library was replaced with a malicious web skimming script and the attackers made no attempt to disguise it. Depending on the referrer header value, the domain would serve either no script, a default skimmer, or a specific skimmer.

The default skimmer would run on the Order and Register webpages and would grab any input, select and textarea elements available on the page, as well as inject a credit card submission form to grab more info. The specific skimmer was a custom fake version of the legitimate Google Analytics script, capable of grabbing email and payment card info.

Data collected from the sites was encoded, encrypted and then sent to an exfiltration server based in Russia. The malicious domain is still up and returns an empty page, though the favicon contains a copy of one of the skimmers.

The researchers notified the owners of the sites affected by this attack, and some of them have removed the script fetching the skimmers. However, some sites have not removed the script and have instead added a small notice to the payment page. This could be because they are using a website generator service or a Content Management System (CMS) that includes it by default.

To protect yourself from this type of attack, it is important to ensure that all third-party scripts are regularly monitored and removed if they are no longer necessary.

The internet is a vast landscape of websites, each vying for attention and search engine optimization.

Unfortunately, it’s not always easy to keep up with the ever-changing landscape, as many websites that once held great promise can easily slip through the cracks and become neglected. When this happens, a domain can become expired, leaving it vulnerable to malicious actors.

When a domain expires, it is no longer associated with its original owner and is open for anyone to purchase. This can be a great opportunity for hackers to take over a domain and use it for their own malicious purposes. Attackers can use expired domains to run malicious scripts, redirect traffic, and even spread ransomware.

Fortunately, there are steps that website owners can take to ensure that their domains remain secure and that they don’t become vulnerable to these types of attacks. The first step is to monitor your domain portfolio and ensure that all domains are renewed before they expire. This will help to prevent malicious actors from taking over the domain and using it for their own purposes.

It’s also important to be aware of any changes to the domain’s DNS settings. Attackers may try to modify the domain’s DNS settings in order to redirect traffic to malicious websites. Staying aware of any changes to the domain’s DNS settings can help to prevent attackers from successfully hijacking the domain.

In conclusion, expired domains are vulnerable to malicious actors and can be used to run malicious scripts, redirect traffic, and even spread ransomware. To protect yourself from these types of attacks, it is important to monitor your domain portfolio and ensure that all domains are renewed before they expire.