Expanding Magecart Threat Research with Validin

Expanding Magecart Threat Research with Validin

Here's a quick example of using Validin to quickly expand recent research by Source Defense about #magecart attacks:

https://x.com/sdcyberresearch/status/1816105654416748722

Source Defense identified the domain logicloo[.]com as facilitating payment fraud. In Validin, we find the IP for logicloo[.]com, 91.194.11[.]108, overlaps perfectly with the PTR record 03[.]mrs. That PTR record is fairly unique since mrs is not a valid TLD.

Usage of the PTR record 03[.]mrs coincides with the usage by logicloo[.]com.

We can use Validin to find other PTR records that use *.mrs and identify 4 others that begin at nearly identical times and have nearly identical naming schemes:

Finding PTR records with strong correlation.

Pivoting from the IPs in these PTR records, we find near-perfect timing overlap with the following domains:

01.mrs -> 95.164.117[.]119 -> pixelforgts[.]com

02.mrs -> 94.131.107[.]101 -> devblen[.]com

04.mrs -> 185.242.87[.]200 -> cdnjsdev[.]com

05.mrs -> 138.124.180[.]178 -> techglitc[.]com

(Note that all of these new IPs reside within low-reputation STARK-INDUSTRIES, AS 44477.)

Example overlap of a similarly-named PTR record.

We observe that one of these domains, pixelforgts[.]com, changed in early June:

Both the PTR record and domain A record changed around the same time.

Pivoting from pixelforgts[.]com, we see another IP in STARK-INDUSTRIES, 185.248.144[.]22.

Observing the IP change using Validin's timeline.

Pivoting from this IP, we observe several other domains with recent, overlapping DNS history that use familiar naming conventions:

Domains recently pointing to 184.248.144[.]22 with recent PTR records.

cdnassetsite[.]com

cdnamgastyle[.]com

cdnamgasite[.]com

Note that logicloo[.]com, devblen[.]com, pixelforgts[.]com, and cdnjsdev[.]com were all registered within 14 minutes of each other from PDR Ltd, which improves our confidence that these are controlled by the same actors.

One of several domains that were registered around 14:10 UTC on 29 April 2024.

Interested in learning more techniques for quickly expanding high-quality threat intelligence with Validin? Check out the Validin blog or contact us to schedule a demo with your organization.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了