Cyber criminals are resurrecting old Magecart web domains for monetisation through malvertising and ad fraud

Magecart attacks target organisations' payments system by taking advantage of security flaws in ecommerce systems

Threat actors have been bringing old Magecart web domains back to life, but this time to push malvertising and ad fraud, researchers at RiskIQ have warned.

Magecart attacks have typically targeted organisations' payments systems by taking advantage of security flaws in ecommerce systems. The gangs - most of them thought to be located in Russia and the CIS - then inject subtle JavaScript code onto the pages of ecommerce sites to exfiltrate credit card and personal details of customers as they check out.

As the sources of Magecart attacks are detected by security firms, the malicious domains used to transfer the stolen data or being used as primary sources for malicious code are logged and reported. Such domains are eventually sinkholed and deactivated by the domain registrars.

However, according to RiskIQ, most of the domains are eventually released back into the pool of available domains, and many of them are grabbed by secondary threat actors in order to initiate new attack campaigns.

Threat actors buying those domains know that they retain their value because earlier breached websites will continue (in most cases) to make "call-outs to malicious domains" used for exfiltrating confidential credit card details.

According to researchers, Magecart skimmers - on average - remain on a breached website for about two months, and some stay there for much longer periods of time.

The cyber criminals then start using malicious domains for malvertising and other types of threat activity in order to monetise the traffic going to the breached websites.

In carrying out their malicious activities, both secondary actors and Magecart take advantage of the fact that the owners of those earlier breached websites have little visibility into the JavaScript code running on their website.

This lack of visibility means the old JavaScript code can continue to remain embedded on the breached sites, without the owners suspecting anything wrong on their websites.

So, when a malicious domain comes back online, breached websites start to load scripts from them.

The cyber criminals also load up new JavaScript files onto the malicious domains they buy for monetisation through, for example, free ad space.

"While ads themselves aren't malicious, they are exploiting the vulnerabilities in websites while the site owners don't benefit," the researchers warned. "Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising."

Cyber security firm Malwarebytes warned ecommerce companies of a summer surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems. The firm claimed that it had blocked 65,000 web-skimming Magecart data theft attempts in July alone.

Earlier in July, security researches warned that the skimmer code by Magecart payment-system hackers has already infected more than 17,000 websites worldwide.