Malwarebytes announced in a Tuesday analysis that two malware domains of the newly discovered Magecart skimming campaign, “scanalytic[.]org” and “js.staticounter[.]net” , are part of a broader infrastructure used to carry out intrusions.
The earliest evidence of the campaign’s activity, based on the additional domains uncovered, suggests it dates back to at least May 2020.
Jérôme Segura, director of Threat Intelligence at Crunchbase said: “We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines.”
Magecart is a cybercrime syndicate that specializes in cyberattacks on e-commerce storefronts and is composed of dozens of subgroups. Their trademark involved digital credit card theft by injecting JavaScript code.
It is unclear if Magecart is an organization with direction or simply unconnected groups who use the same method of attack.
In 2015 the attacks gained notoriety for singling out the Magneto commerce platform. Since then the syndicate has expanded to a notable WordPress plugin named WooCommerce.
WordPress has emerged as the top CMS platform for credit card skimming malware with skimmers concealed in the website in the form of fake images and JavaScript theme files.
“Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web,” Sucuri’s Ben Martin noted.