Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)

Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x

First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
3/x

*shrug* Your call I guess. I'm going to do my best to obfuscate what we're looking at. Anyways, now that that's out of the way, here's some tools/sites to sign up for/grab before we get started:
4/x

- urlscan @urlscanio (free, but a pro version is in the works)
- publicwww @publicww (free works, but paid is better)
- RiskIQ PassiveTotal community edition @RiskIQ
- Tails VM @Tails_live
5/x

Ok, now, where to start? First, we have an advantage that the bad guys can't stop: unless they've breached the payment servers of some company, their actions are completely public. They'll do their best to hide themselves, but every method they use leaves a fingerprint.
6/x

So we get to exploit that. Let's look at a common method for loading a digital skimmer. atob('Y2h...') is equal to 'checkout', so what this is doing is looking for 'checkout' in the URL, and if it's found, the rest of the code is executed...
7/x

and a skimmer from googletagmanger[.]com/js/gtm.js is loaded. Now, let's take a step back and assume we didn't know about this method. Where would one find out about techniques that #magecart groups are using in the first place?
8/x

Easy: writeups about major breaches, or blogs by security researchers at places like:
- Sanquine Security @eComscan
- Group-IB @GroupIB_GIB
- Sucri Labs @sucurilabs
- RiskIQ @RiskIQ
- Malwarebytes - @Malwarebytes
9/x

Start with what they've written, then start investigating the sites at @urlscanio. It's likely that someone scanned the affected sites. Look at how the skimmer was loaded. There's a variety of ways that this is done, from normal script tags to fake Google Analytics code.
10/x

I've broken down advanced #magecart loaders in the past, if you're interested:

https://twitter.com/AffableKraut/status/1138687107839516672

11/x

Ok, so back to this code. What's unique about it? Another way of asking the same question: what's different about this code from what you would see a normal web dev do? The atob calls, right? atob is the javascript function to base64 decode. btoa goes the other way.
12/x

So that is what we will pivot off of. Let's search for the first one at @PublicWW - Should have 84 or so results, with plenty available to see even if you don't have a paid account (which are great) publicwww.com/websites/atob%…

13/x

One thing you may notice is that these examples aren't quite the same as the above example. And this is common - there's lots of copying/reuse by the digital skimmer crowd.
14/x

Find one you want to look at, right click the little icon next to the url, copy the url, and then drop it into @Tails_live. Why visit it over Tor? Not really that big of a threat, but some digital skimming groups are watching us as we watch them: sansec.io/labs/2018/10/0…
15/x

Anyways, accept whatever level of opsec you're comfortable with, and visit the site, then view the source. CTRL-F for atob. If it's not there, the site owner may have cleaned up the skimmer code, so try another one.
16/x

Now, you may find code like the example I showed above, or you may end up with something slightly different. Look! It's a different #magecart loader:
17/x

a slightly more advanced one that pretends to be benign. Doing a decode of that cmFja2FwaWpzLmNvbS9hcGkuanM= string (I just keep base64decode.org open to be honest) and we've found a digital skimmer that's being loaded from rackapijs[.]com/api.js
18/x

Cool, right? Now we have two different loaders we can hunt on. This is a pretty common occurrence. A lot of the techniques end up being somewhat similar, so you'll frequently stumble upon something new. Ok, let's go back to a previous method, and see what else we can find.
19/x

Ok, let's go back to a previous method, and see what else we can find. Let's search for "b.src = atob(" and see what turns up:

publicwww.com/websites/%22b.…

20/x

Meh... not much. Three results to look at. Let's drop the "b" from the previous search, who knows, maybe that's something that changes, and see what we get, and presto - ~1500 results, now we're talking: publicwww.com/websites/%22.s…
21/x

Now, some of those results aren’t digital skimmers, but you can pretty easily see from the results which ones are. One of the results I went to tonight had a failed attempt by our #magecart friends, but let's look at it anyways.

22/x

If you piece together the bits from the atob call you get hxxps://ajaxclick[.]com/ajax/libs/1.3.9/click.js

That's a previously unknown skimmer domain, as far as I'm aware. So, congrats, we've now found one new piece of infrastructure. But let's keep going.

23/x

Go to that URL and you get... an empty file. Oh well, must be nothing, right? Not quite: one of the things that #magecart groups will do is examine your referrer. If you're not on the correct site or page, they'll return nothing or sometimes they'll return benign code.

24/x

Hmm... guess Twitter has a 25 tweet thread limit, so I'll have to continue this on another thread.

Or maybe you can continue it? Strange, well, here goes.

So what we need is another site that has the script and is properly loading it, unlike the one we found. There are two possible options. First let's try @urlscanio: urlscan.io/search/#domain…

26/x

Turns out, while there are some hits, they're old and aren't helpful. Another option is @RiskIQ's PassiveTotal. Search for the domain, then click the Host Pairs tab, and you'll see some fresh hits: community.riskiq.com/search/ajaxcli…
27/x

Pick one of those and visit it. For the option I selected, they weren't using the loader technique they failed at above, they just loaded it with a script tag.
28/x

A reminder: if it's like one of the examples higher up, that checked to see if you're on the checkout page, the skimmer won't load until you've gotten to that point.
29/x

Now with the proper referer in place, the script loads. There are other methods to accomplish this, but that's outside the scope of this. Anyways, you'll see a script that looks like this one: gist.github.com/krautface/4d22…
30/x

As you can see, it's obfuscated. Thankfully, this is one of the formats that beautifier\.io handles really nicely. The deobfuscated script: gist.github.com/krautface/64fc…
31/x

Now, why do we want to try and deobfuscate the code? To see what other infrastructure might be utilized. This is a longer skimmer, with lots of code to encrypt its payload.
32/x

If you scroll down to line 301, you'll see another URL: hxxps://www-trust[.]com/safebrowsing/sd/ChVnb29nLWJhZGJpbnVcmVmZXJlciBwaHAgcmVkaXJlY3Q/
33/x

Look at that. Kind of looks legit, doesn't it? But lines 295-299 make it clear that this is looking for credit card data, among other things. Unfortunately, many skimmers aren't this easy to deobfuscate, but that's another topic entirely.
34/x

So we've uncovered two new domains being used by a #magecart group: an exfil at www-trust[.]com and ajaxclick[.]com which is being used to host the JS. And that's one way to hunt for digital skimming infrastructure, using tools from @urlscanio, @publicww, @RiskIQ, and @Tails_live

/endthread