Hunting for Magecart Infrastructure

by Eric Brandel Posted on August 2, 2019

Hunting for digital skimming/magecart infrastructure is interesting. We have an advantage that the bad guys can’t stop: unless they’ve breached the payment servers of some company, their actions are completely public. They’ll do their best to hide themselves, but every method they use leaves a fingerprint. So we get to exploit that. Let’s look at a common method for loading a digital skimmer. atob('Y2h…') is equal to ‘checkout’, so what this is doing is looking for checkout in the URL, and if it’s found, the rest of the code is executed.

If checkout is found in the URL, a skimmer from googletagmanger[.]com/js/gtm.js is loaded. What’s unique about this code? Another way of asking the same question: what’s different about this code from what you would see a normal web dev do? The atob calls, right? atob is the javascript function to base64 decode. btoa goes the other way.

So that is what we will pivot off of. Let’s search for the first one at PublicWWW. It should have a number of results, with plenty available to see even if you don’t have a paid account (which are great). You can take a look around at what is found and see what interesting Javascript you can find.

This time, by following the above steps, I found a different digital skimmer loader:

This is a slightly more advanced one that pretends to be benign. If you decode cmFja2FwaWpzLmNvbS9hcGkuanM= it turns into rackapijs[.]com/api.js.

Now we have two different loaders we can hunt on. This is a pretty common occurrence. A lot of the techniques end up being somewhat similar, so you’ll frequently stumble upon something new. Let’s go back to a previous method, and see what else we can find. Let’s search for ".src = atob(” and see what turns up.

Sometimes you’ll find instances of the threat actors making a mistake. For example here they added their digital skimmer loader into the content of a <meta> tag. This won’t ever get run, but we can pull out the base64 encoded value and go from there.

The value decodes to hxxps://ajaxclick[.]com/ajax/libs/1.3.9/click.js. If you go to that URL you get an empty file. One form of masking that is done by magecart groups is to examine you’re referrer. If you’re not coming from the correct site or page they will return either nothing or sometimes some benign code.

So what we need is another site that has the script and is properly loading it, unlike the one we found. There are two possible options. First let’s try URLScan. There are some results there, but they’re not too helpful. Another place to check is RiskIQ’s PassiveTotal. Once you find a site that you can use that as your referrer and get the script to load. Unfortunately, it is obfuscated, but it is one of the formats that beautifier.io handles really nicely.

The digital skimmer starts at line 289. If you scroll down to Line 301 you can see another domain being used: www-trust[.]com.

A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1157164420293750785

This entry was posted in Infosec, Magecart and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *