Although observed Magecart skimmer attacks have been less frequently reported in recent months, analysts have discovered fresh infrastructure they were able to trace to malicious domains behind an ongoing campaign.
The Malwarebytes Labs team connected the skimmers to activity dating back to May 2020.
- hal-data[.]org/gre/code.js (Angular JS)
- hal-data[.]org/data/ (Logger)
- js.g-livestatic[.]com/theme/main.js (Modernizr)
The team added that a recent drop in Magecart activity could be because many threat actors may be pivoting from stealing credit-card numbers to more profitable targets.
“Crypto wallets and similar digital assets are extremely valuable and there is no doubt that clever schemes to rob those are in place beyond phishing for them,” the team wrote.
But worryingly, the disappearance of Magecart from the radar could also be because the attacks have moved server-side and become harder to detect with simple scanners, the analysts said.
“Perhaps we have been too focused on the Magento CMS, or our crawlers and sandboxes are being detected because of various checks including at the network level,” the team said about waning detections of Magecart skimmer attacks.