A security researcher collected in a span of a few weeks over 1,000 domains infected with payment card skimmers, showing that the MageCart continues to be a prevalent threat that preys on insecure webshops.
MageCart was first spotted over a decade ago by cybersecurity company RiskIQ but attacks have grown rampant over the past two years when big-name companies were hit - British Airways, Ticketmaster, OXO, Newegg.
Since then, automated systems tuned specifically to detect this type of threat found hundreds of thousands of websites that on checkout pages malicious JavaScript designed to steal card data from shoppers.
200 alerts sent, no reply
Using freely available tools and some elbow grease, security researcher Max Kersten was able to compile a list of 1,236 domains that were hit by a web skimmer hosted on an external domain.
He started with one domain that hosted a skimmer and the Urlscan.io website scanning service. This allowed searching for a time when the skimmer domain changed in the infection chain.
“Repeating this process results in a list of all the exfiltration domains in the chain until it either breaks or the search is stopped. Additionally, one can recursively query every affected domain to search for other skimmer domains” - researcher finds websites infected credit stealers
