It's never good when 'Magecart' and 'bulletproof' appear in the same sentence, but here we are

Ukrainian civil war a bonanza for dodgy malware hosting firms

A growing crop of so-called bulletproof hosting companies are using the ongoing civil war in Ukraine to host Magecart malware without fear of the police coming knocking.

Researchers with security shop Malwarebytes say that the data-exfiltration and hosting servers used by Magecart operations to collect harvested card details have been traced to the Ukrainian city of Luhansk, located in an area contested by pro-European and pro-Russian forces.

Here's how it works: Magecart's operators hacked websites to install malicious script code onto the payment webpages of reputable sites. After netizens type in their bank card details into those infected payment pages, the Magecart code uploads the victims' sensitive personal information to a command-and-control servers physically housed in Luhansk, Ukraine, where hosting companies know that the ongoing conflict means there is little chance of a raid from police officers or g-men. Basically, there's no functioning government available to investigate the server hosts.

These data centers, pitched as 'bulletproof,' naturally appeal to groups running less-than-reputable operations that would be subject to raids or takedown requests if hosted in other locations.

"Due to the very nature of such hosts, takedown operations are difficult," Malwarebytes explained. "It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model."

The use of bulletproof hosting is particularly bad in the case of Magecart, as it eliminates one of the more effective means of stopping the infection - disabling command and control servers.


Breaking news: Bank-card-slurping malware sneaks into Forbes' mag subscription website


Because Magecart operates by injecting a simple chunk of code into the individual payment pages (as opposed to installing an entire malware payload, for example) it can be difficult to scrub from the infected machines themselves.

On the other hand, the exfiltration servers where the harvested card data was sent and the command servers where the malware was controlled are weak spots that, if disabled, would effectively shut down the card-harvesting operation.

Now, with the C&C and exfiltration servers stashed behind bulletproof hosts, Malwarebytes says it is having to block all domains and IP addresses associated with the skimmers.

This as Magecart is also expanding its operation into the fertile ground of unprotected S3 buckets.

Last week researchers reported that more than 17,000 sites had been seeded with Magecart code after the storage bucket hosting their pages was left facing the public internet with no security protections. ®

Narrower topics

Other stories you might like

  • Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups
    This is why Viasat attack – rated one of the biggest ever of its kind – had relatively little impact

    RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

    Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

    The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

    Continue reading
  • Taiwan bans exports of chips faster than 25MHz to Russia, Belarus
    Doom it is, then, Putin

    Taiwan's government has enacted a strict ban on the export of computer chips and chip-making equipment to Russia and Belarus, a move that will make it even harder for the two countries to access modern processors following export bans from other countries.

    The island nation is the world's largest advanced chip manufacturing hub, so the export ban carried out by Taiwan's Ministry of Economic Affairs, reported last week, will make it more difficult for Russia and Belarus to find chips for a variety of electronics, including computers, phones and TVs.

    Russia has already been scrambling to replace x86 processors from Intel and AMD that it can no longer access because of export bans by the US and other countries. This has prompted Russia to source x86-compatible chips from China for laptops that will be considerably slower than most modern systems. The country is also switching to servers using its homegrown Elbrus processors, which Russia's largest bank has found to be inadequate for multiple reasons.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • HP turns back on $1b in annual sales by quitting Russia and Belarus
    Revenue hit for HP far larger than many tech providers post-pullout but PC, print giant stays course

    PC and printer giant HP Inc. is boldly but belatedly turning its back on Russia and Belarus due to the continued conflict in Ukraine.

    HP was among the first wave of tech companies to suspend shipments to the countries soon after Russia invaded its neighbor on February 24, but now the company's president and CEO Enrique Lores is making the move more permanent.

    "Considering the COVID environment and long-term outlook for Russia, we have decided to stop our Russia activity and have begun the process of fully winding down our operations," he said on a Q2 earnings call with analysts.

    Continue reading

Biting the hand that feeds IT © 1998–2022