Home / Industry

A Deep Dive into Known Magecart IoCs: What Are the Connected Internet Properties?

Magecart-style attacks have been around for a while and continue to be mentioned in the news in 2021. We found and collected a list of 20 domain names that have been mentioned in the past months on VirusTotal as Magecart indicators of compromise (IoCs). We then sought to expand these domains’ digital footprints to uncover more artifacts or possibly even IoCs that users may need to stay away from as well.

Our sample list of IoCs included seven .com domains; five .biz domains; three .cc domains; and one .host, .name, .online, .site, and .ws domains each. At least in our particular sample, we can thus say that more generic (gTLDs) than country-code top-level domains (ccTLDs) were mentioned recently.

Chart 1: A majority of the Magecart IoCs were gTLDs.

WHOIS Lookup Results

WHOIS lookup queries for the sample revealed that only half of the domains could be attributed to either specific individuals or organizations. We ascertained ownership by determining if the domains’ WHOIS records had identifiable registrants as evidenced by the presence of a registrant or administrative contact name, organization, or email address. The analysis showed that five of the domain owners were identifiable via their names, three by their organization names, and two by either a registrant or an administrative contact email address.

Chart 2: Only 10 of the domains had record details that could point to identifiable owners.

Name servers (NSs) were found in our WHOIS lookup for a majority (80%) of the domain owners. A breakdown of the volume of NSs the 16 domains with NS details is shown below. The results showed that nine of the domains had two NSs each, five had five servers each, one had three servers, and one had four servers.

Interestingly, several of the IoCs shared NSs at the time of our lookup, which could point to the same infrastructure and possibly attack or campaign. These are:

  • Fastmycdn[.]com, localserver[.]host, and rooplancdn[.]com, which all pointed to a[.]dnspod[.]com and c[.]dnspod[.]com.
  • Statistik[.]site, webinformer[.]biz, and zigzapframe[.]biz, which all pointed to park[.]i-now[.]cn and park[.]i-now[.]com.
Chart 3: A majority of the domains had two NSs each.

IoC List Expansion

Given the identifiable details obtained from the WHOIS lookups, we found other potential Magecart artifacts that concerned organizations may want to look deeper into.

Using the domains as DNS lookup search terms, we obtained two IP addresses—209[.]126[.]123[.]12 and 45[.]67[.]231[.]22. We subjected these to reverse IP/DNS searches and got at least 301 additional domains. More than 300 domains resolved to 209[.]126[.]123[.]12 (e.g., 0-rublejj-porno[.]yasakli[.]biz, 0[.]mahvareh[.]biz, and 004kv[.]bbjrmy[.]com), while only one (i.e., securemac[.]biz) did to 45[.]67[.]231[.]22.

These 301 or more domains could be subjected to further analysis, as one or more of them could be malicious and thus require blocking.

Historic reverse WHOIS searches using the personally identifiable information (PII) the registrants revealed provided a list of 8,857 domains. They are not all unique, though, as some of the domains shared the same PII. Examples of the thousands of other domains include anduansury[.]com, 0011668[.]com, advertweb[.]biz, 028211[.]info, and amasty[.]biz.

Finally, reverse IP/DNS lookups for the 39 NSs identified gave us another 158 domains, one or more of which could be connected to the threat. Examples of these include 1755[.]com, dby7878[.]com, dby338[.]com, busanit[.]or[.]kr, bomtvcard[.]com, tf-lab[.]net, 78881dh[.]com, carrym[.]com, 78882[.]com, cleantopia[.]com, 78883[.]com, activategotvcode[.]com, and activategotvcode[.]com.

All in all, we obtained an additional 9,316 domains (not unique) and two IP addresses that could be potentially dangerous to access as well since these share owners or infrastructures with the identified IoCs. All these could be used in DNS attacks.


A simple WHOIS search can serve as a starting point for digital footprint expansion when investigating threats like the Magecart attacks. Both security-conscious network administrators and owners of the domains and IP addresses identified as artifacts can benefit from the additional checks of passive and other DNS records to determine if they are at risk of either becoming the next victims or be tagged as attackers.

Security professionals who wish to protect their networks from possibly Magecart-related attacks can contact us for a complete list of the artifacts gathered for this short study or more details on using the various tools featured in this post. We also recently launched the Typosquatting Community Feed, an apply-only feed reserved for the security community, that is made available freely for security research purposes.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO

Cybersecurity

Sponsored byVerisign