Expanding Magecart Threat Research with Validin
Here's a quick example of using Validin to quickly expand recent research by Source Defense about #magecart attacks:
Source Defense identified the domain logicloo[.]com as facilitating payment fraud. In Validin, we find the IP for logicloo[.]com, 91.194.11[.]108, overlaps perfectly with the PTR record 03[.]mrs. That PTR record is fairly unique since mrs is not a valid TLD.
We can use Validin to find other PTR records that use *.mrs and identify 4 others that begin at nearly identical times and have nearly identical naming schemes:
Pivoting from the IPs in these PTR records, we find near-perfect timing overlap with the following domains:
01.mrs -> 95.164.117[.]119 -> pixelforgts[.]com
02.mrs -> 94.131.107[.]101 -> devblen[.]com
04.mrs -> 185.242.87[.]200 -> cdnjsdev[.]com
05.mrs -> 138.124.180[.]178 -> techglitc[.]com
(Note that all of these new IPs reside within low-reputation STARK-INDUSTRIES, AS 44477.)
We observe that one of these domains, pixelforgts[.]com, changed in early June:
Pivoting from pixelforgts[.]com, we see another IP in STARK-INDUSTRIES, 185.248.144[.]22.
Pivoting from this IP, we observe several other domains with recent, overlapping DNS history that use familiar naming conventions:
cdnassetsite[.]com
cdnamgastyle[.]com
cdnamgasite[.]com
Note that logicloo[.]com, devblen[.]com, pixelforgts[.]com, and cdnjsdev[.]com were all registered within 14 minutes of each other from PDR Ltd, which improves our confidence that these are controlled by the same actors.
Interested in learning more techniques for quickly expanding high-quality threat intelligence with Validin? Check out the Validin blog or contact us to schedule a demo with your organization.