Magecart-style attacks have been around for a while and continue to be mentioned in the news in 2021. We found and collected a list of 20 domain names that have been mentioned in the past months on VirusTotal as Magecart indicators of compromise (IoCs). We then sought to expand these domains’ digital footprints to uncover more artifacts or possibly even IoCs that users may need to stay away from as well.

Our sample list of IoCs included seven .com domains; five .biz domains; three .cc domains; and one .host, .name, .online, .site, and .ws domains each. At least in our particular sample, we can thus say that more generic (gTLDs) than country-code top-level domains (ccTLDs) were mentioned recently.

WHOIS Lookup Results

WHOIS lookup queries for the sample revealed that only half of the domains could be attributed to either specific individuals or organizations. We ascertained ownership by determining if the domains’ WHOIS records had identifiable registrants as evidenced by the presence of a registrant or administrative contact name, organization, or email address. The analysis showed that five of the domain owners were identifiable via their names, three by their organization names, and two by either a registrant or an administrative contact email address.

Name servers (NSs) were found in our WHOIS lookup for a majority (80%) of the domain owners. A breakdown of the volume of NSs the 16 domains with NS details is shown below. The results showed that nine of the domains had two NSs each, five had five servers each, one had three servers, and one had four servers.

Interestingly, several of the IoCs shared NSs at the time of our lookup, which could point to the same infrastructure and possibly attack or campaign. These are:

• Fastmycdn[.]com, localserver[.]host, and rooplancdn[.]com, which all pointed to a[.]dnspod[.]com and c[.]dnspod[.]com.
• Statistik[.]site, webinformer[.]biz, and zigzapframe[.]biz, which all pointed to park[.]i-now[.]cn and park[.]i-now[.]com.

IoC List Expansion

Given the identifiable details obtained from the WHOIS lookups, we found other potential Magecart artifacts that concerned organizations may want to look deeper into.

Using the domains as DNS lookup search terms, we obtained two IP addresses—209[.]126[.]123[.]12 and 45[.]67[.]231[.]22. We subjected these to reverse IP/DNS searches and got at least 301 additional domains. More than 300 domains resolved to 209[.]126[.]123[.]12 (e.g., 0-rublejj-porno[.]yasakli[.]biz, 0[.]mahvareh[.]biz, and 004kv[.]bbjrmy[.]com), while only one (i.e., securemac[.]biz) did to 45[.]67[.]231[.]22.

These 301 or more domains could be subjected to further analysis, as one or more of them could be malicious and thus require blocking.

Historic reverse WHOIS searches using the personally identifiable information (PII) the registrants revealed provided a list of 8,857 domains. They are not all unique, though, as some of the domains shared the same PII. Examples of the thousands of other domains include anduansury[.]com, 0011668[.]com, advertweb[.]biz, 028211[.]info, and amasty[.]biz.

Finally, reverse IP/DNS lookups for the 39 NSs identified gave us another 158 domains, one or more of which could be connected to the threat. Examples of these include 1755[.]com, dby7878[.]com, dby338[.]com, busanit[.]or[.]kr, bomtvcard[.]com, tf-lab[.]net, 78881dh[.]com, carrym[.]com, 78882[.]com, cleantopia[.]com, 78883[.]com, activategotvcode[.]com, and activategotvcode[.]com.

All in all, we obtained an additional 9,316 domains (not unique) and two IP addresses that could be potentially dangerous to access as well since these share owners or infrastructures with the identified IoCs. All these could be used in DNS attacks.

A simple WHOIS search can serve as a starting point for digital footprint expansion when investigating threats like the Magecart attacks. Both security-conscious network administrators and owners of the domains and IP addresses identified as artifacts can benefit from the additional checks of passive and other DNS records to determine if they are at risk of either becoming the next victims or be tagged as attackers.

Security professionals who wish to protect their networks from possibly Magecart-related attacks can contact us for a complete list of the artifacts gathered for this short study or more details on using the various tools featured in this post. We also recently launched the Typosquatting Community Feed, an apply-only feed reserved for the security community, that is made available freely for security research purposes.