A growing crop of so-called bulletproof hosting companies are using the ongoing civil war in Ukraine to host Magecart malware without fear of the police coming knocking.
Researchers with security shop Malwarebytes say that the data-exfiltration and hosting servers used by Magecart operations to collect harvested card details have been traced to the Ukrainian city of Luhansk, located in an area contested by pro-European and pro-Russian forces.
Here's how it works: Magecart's operators hacked websites to install malicious script code onto the payment webpages of reputable sites. After netizens type in their bank card details into those infected payment pages, the Magecart code uploads the victims' sensitive personal information to a command-and-control servers physically housed in Luhansk, Ukraine, where hosting companies know that the ongoing conflict means there is little chance of a raid from police officers or g-men. Basically, there's no functioning government available to investigate the server hosts.
These data centers, pitched as 'bulletproof,' naturally appeal to groups running less-than-reputable operations that would be subject to raids or takedown requests if hosted in other locations.
"Due to the very nature of such hosts, takedown operations are difficult," Malwarebytes explained. "It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model."
The use of bulletproof hosting is particularly bad in the case of Magecart, as it eliminates one of the more effective means of stopping the infection - disabling command and control servers.
Breaking news: Bank-card-slurping malware sneaks into Forbes' mag subscription websiteREAD MORE
Because Magecart operates by injecting a simple chunk of code into the individual payment pages (as opposed to installing an entire malware payload, for example) it can be difficult to scrub from the infected machines themselves.
On the other hand, the exfiltration servers where the harvested card data was sent and the command servers where the malware was controlled are weak spots that, if disabled, would effectively shut down the card-harvesting operation.
Now, with the C&C and exfiltration servers stashed behind bulletproof hosts, Malwarebytes says it is having to block all domains and IP addresses associated with the skimmers.
This as Magecart is also expanding its operation into the fertile ground of unprotected S3 buckets.
Last week researchers reported that more than 17,000 sites had been seeded with Magecart code after the storage bucket hosting their pages was left facing the public internet with no security protections. ®