Magecart-style attacks have been around for a while and continue to be mentioned in the news in 2021. We found and collected a list of 20 domain names that have been mentioned in the past months on VirusTotal as Magecart indicators of compromise (IoCs). We then sought to expand these domains’ digital footprints to uncover more artifacts or possibly even IoCs that users may need to stay away from as well.
Our sample list of IoCs included seven .com domains; five .biz domains; three .cc domains; and one .host, .name, .online, .site, and .ws domains each. At least in our particular sample, we can thus say that more generic (gTLDs) than country-code top-level domains (ccTLDs) were mentioned recently.
WHOIS Lookup Results
WHOIS lookup queries for the sample revealed that only half of the domains could be attributed to either specific individuals or organizations. We ascertained ownership by determining if the domains’ WHOIS records had identifiable registrants as evidenced by the presence of a registrant or administrative contact name, organization, or email address. The analysis showed that five of the domain owners were identifiable via their names, three by their organization names, and two by either a registrant or an administrative contact email address.
Name servers (NSs) were found in our WHOIS lookup for a majority (80%) of the domain owners. A breakdown of the volume of NSs the 16 domains with NS details is shown below. The results showed that nine of the domains had two NSs each, five had five servers each, one had three servers, and one had four servers.
Interestingly, several of the IoCs shared NSs at the time of our lookup, which could point to the same infrastructure and possi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: A Deep Dive into Known Magecart IoCs: What Are the Connected Internet Properties?