This blog post was authored by Jérôme Segura
A very common practice among criminals consists of mimicking legitimate infrastructure when registering new domain names. This is very true for Magecart threat actors who love to impersonate Google, jQuery and many other popular brands.
In this post we look at a skimmer recently disclosed by security researchers that has been around for over a year but managed to keep a low profile. In addition to naming several of their domains after Google, the threat actor is also naming their domains after the websites they have compromised.
Often, identifying additional infrastructure on the same network is a relatively simple exercize. But in this case it is more complex because the hosting servers are comprised of a large number of domains names, many of which are also malicious but not skimming related. Hiding in the noise is another common trait for threat actors.
Keeping it simple
This skimmer was publicly mentioned by Eric Brandel in early June 2021 and unlike Magecart JavaScript code, this one is very straightforward. Jordan Herman had also previously spotted this skimmer and referred to it as Lil’ Skim. Based on an urlscan.io crawl, it appears the earliest instance is from at least March 2020, via googie[.]host.
A dense network hiding more skimmer domains
A quick review of the Autonomous System (AS198610 Beget) where those skimmer domains are found shows a significant number of malicious hosts tied to phishing kits, Windows payloads, and Android malware just to name a few. Two IP addresses in particular, 87.236.16[.]107 and 87.236.16[.]10, are host to additional skimmer domains belonging to Lil’ Skim.
For example, tidio[.]fun is a play on tidio.com, a chat application for website owners wishing to interact with customers. We recognize the same Lil’ Skim code here as well:
Custom domains by compromised store
And then we discovered a number of skimmer domains that were named after compromised stores. This in itself is not a new practice and is often seen with phishing sites. The threat actor simply replaced the top level domain name with .site, .website or .pw to create hosts that load the skimmer code and receive stolen credit card data.
All the domains we found (c.f. IOCs) were hosted on 87.236.16[.]107.
Conclusion
Lil’ Skim is a simple web skimmer that is fairly easy to identify and differs from other Magecart scripts. The threat actor is keen of impersonating internet companies but also the victim sites it goes after.
We were able to track this actor across the same ASN where they registered a number of different domains over a period of at least a year. There likely are more pieces of infrastructure to uncover here, but that might be a time consuming process.
We have notified the stores that have been impacted by this campaign. Additionally, Malwarebytes customers are already protected via our web protection module across our different products including Malwarebytes Browser Guard.
Indicators of Compromise
The following IOCs are linked to urlscan.io crawls whenever possible.
Standard skimmer domains
Skimmer domains impersonating compromised sites
Skimmer IPs
Known victim sites
