Credit card skimming domains repurposed in ad fraud scams

The hijacking and reuse of decommissioned domains used in Magecart web-skimming attacks has spawned a secondary trade in cybercrime.

Magecart has spread across hundreds of thousands of sites and affected millions of users.

Cybercriminals have managed to carve out a piece of this action by running campaigns that turn Magecart compromised domains into platforms for ad distribution or other scams.

These secondary actors operate on the premise that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data.

Breach cycle

Most malicious domains end up getting sink-holed by various parties. However, some of them are kicked offline by the registrar, put on hold, and then eventually released back into the pool of available domains.

Scavengers are lying in wait to snap up domains with a history of abuse by Magecart as soon as the
registrars release them for sale.

Once malicious domains come back online, compromised websites will still load in scripts from them. Scavenger cybercrooks abuse this by loading up new JavaScript files on the malicious domains they buy up, effectively taking over where the skimmers left off, threat intel firm RiskIQ reports.

The practice can be viewed as a new mechanism for making money from so-called dropped domains.

“Buying up dropped domains is nothing new, for the most part these are bought by what we call ‘domainers’, which are people who trade on domains to make a living,” RiskIQ threat researcher Yonathan Klijnsma told The Daily Swig.

“General monetization also happens often, domains get bought up and a parking page is put on them for when visitors arrive, which also display ads to monetize the page.”

“Monetization as we’re seeing here is less common, purposefully accepting traffic for what they know are active injections on websites left-over from past incidents is not that common.”

Under the radar

Both Magecart and secondary abusers of compromised websites are taking advantage of the fact that site owners have little visibility into the JavaScript running on their website.

A lack of visibility means a lifecycle of a malicious domain embedded on a website — moving from web-skimming to deactivation onto reactivation as part of another online scan entirely — can take place under the radar.

Data gathered by RiskIQ suggests that a Magecart skimmer stays on a compromised site for an average of over two months. In some cases, malicious code remains there indefinitely, likely because legitimate site owners are blissfully unaware about malicious activity.

“The challenge with these domains is that many website owners were never aware of an active skimmer threat on their site in the first place,” Klijnsma added. “And unfortunately, once these malicious domains come back online, bad actors can pick up where the original skimmer left off with the intention of monetization.”

Scavenger cybercriminals – likely experienced in affiliate marketing for dodgy websites and ad brokering – are buying up domains they know bring in a lot of traffic.

“While ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites,” RiskIQ concluded. “In the future, threat actors may also engage in other schemes and threat activity far more malevolent than advertising.”


Various websites and tools allow people to pick up these dropped domains.

“Sites like or actively provide free as well as paid services for monitoring,” Klijnsma explained.

“These sites also rank the popularity (and amount of people still linking to these sites) for the dropped domains, which you can rank on. This way you can buy domains that are “well known” so you can expect some traffic on them,” he added.

RiskIQ’s research on the emerging trade in “recycled” Magecart domains includes an example of one particular scam, as well as advice to website admins on how to stay ahead of scams.

“Site owners must maintain visibility into the code on their site – make sure it’s clean, updated, and checked on regularly,” RiskIQ advises. “RiskIQ works with incredible partners to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data.

“However, this does not keep a website clean forever – dutiful vigilance and maintenance is the only way to prevent being victimized by Magecart and follow-up attacks by secondary markets,” it adds.

RELATED: Criminal turf war may be brewing after Magecart double whammy