Cybersecurity company Malwarebytes says it has traced the host servers of a Magecart card skimming campaign to the so-called “independent Donetsk and Luhansk People’s Republics (D/LPR)” in eastern Ukraine: site of a festering war that has resulted in over 13,000 deaths to date.
So-called “bulletproof hosting” (hosting services resilient to law enforcement takedowns) are nothing new, but locating them in what is effectively a war zone put a unique twist on the offering.
Malware War Zone: More than a Metaphor
The area has been the site of a bitter conflict after local militia seized government buildings in Donetsk, Luhansk and Kharkiv in early 2014, declared the independence of “people’s republics”, and called referenda on joining Russia, which they scheduled for 11 May. Russia, however, never recognised the statelets, although it covertly sent troops to bolster their defence against Ukrainian efforts to retake them.
The cybercriminals are using servers advertised as being in a “private Luhansk data center”.
They are using autonomous system AS58271 “FOP Gubina Lubov Petrivna”, which describe as a “hotspot for IDN-based phishing, in particular around cryptocurrency assets”.
Malwarebytes’ threat intelligence team said they identified the host server location after investigating a Magecart campaign that was using a skimmer injected into compromised Magento sites and trying to pass itself for Google Analytics (google-anaiytic[.]com), a domain previously associated with the VisionDirect data breach.
Read this: Magecart Launches “Spray and Pray” Attacks on AWS S3 Buckets, Hits 17,000
Sniffing about the hosting servers, the security team found that each online store hacked as part of the campaign had its own skimmer, and identified a file detailing hundreds of affected ecommerce sites, replete with passwords.
They said: “We also discovered a tar.gz archive perhaps left behind by mistake containing the usernames and passwords needed to login into hundreds of Magento sites. These are the same sites that have been injected with this skimmer.
“Looking for additional OSINT, we were able to find a PHP backdoor that we believe is being used on those hacked sites. It includes several additional shell scripts and perhaps skimmers as well (snif1.txt).”
The criminals were using another Google lookalike site (google.ssl.lnfo[.]cc, to exfiltrate the card details they stole. (Magecart typically work via the insertion of a customized Javascript payment overlay for the specific site; allowing the “hackers” – often such sites are insecure: recent campaigns have involved dropping skimmers en masse in .js files in open AWS S3 buckets – to capture personal information and card details).
The “no-mans-land” status of the self-proclaimed republics makes them an ideal site for cybercriminals to host servers in: the host service for the sites being used in this particular campaign are being offered online by bproof[.]host at 176.119.1[.]89, which advertises “bulletproof IT services with VPS and dedicated servers”.