As we’re approaching the holiday season, so many are heavily relying on the internet for their shopping. With fewer than 50 online shopping days until Christmas, pressure to bargain hunt is skyrocketing, with retailers gearing up to make tempting offers on those dream items. However, it's not just the online retailers gearing up to take your money, the online criminals are, too.

Brian Krebs wrote a fascinating article about how cybercrooks are moving to what RiskIQ has dubbed web-based card skimming.

  1. Increasingly these data-slurping scripts are hidden behind fully fraudulent https:// domains that are custom-made to look like they might be associated with content delivery networks (CDNs) or web-based scripts, and include terms like “jquery,” “bootstrap,” and “js.”
  1. Often times, the malicious domain created to host a data-snarfing script mimics the host domain by referencing a doppelganger web site name. For example, check out the source code for the e-commerce site, “bargainjunkie-dot-com.” You’ll notice at the bottom that it pulls a malicious script from the domain “bargalnjunkie-dot-com,” where the “i” in “bargain” is sneakily replaced with a lowercase “L”.

In it, he mentions an IP address: 46.161.40[.]49, which is the host for a number of these typo squatting JavaScript injection sites, including “bargalnjunkie-dot-com.”

At ThreatSTOP, we’re always interested in IP addresses that are hosting multiple malware domains. We have frequently noticed that IP addresses in this vicinity are also bad, so we often take a look at the neighborhood.

Not at all to our surprise, the 46.161.40[.]49 address is in a fascinating, if shady, neighborhood. It’s in AS 58271, which belongs to a Moldovan group called Ankas Group. (It is hosted in either Moldova, Russia or Ukraine) The various IP-Geolocation sources currently disagree, and I’m not completely sure it matters, but the /24 has been implicated in numerous scams over the years.

As it happens, there are tons of other interesting domains on nearby hosts. ThreatSTOP has identified browser crypto mining on 46.161.40[.]11, as well as some other shadiness on 46.161.40[.]61…

However, 46.161.40[.]114 turned out to be particularly interesting as its the NS for a number of interesting domains:

  • sucuri-js[.]com
  • sucuri-cloud[.]com
  • secury-checkout[.]com

Note: Web owners who are using sucuri  (https://sucuri.net) to protect their websites should definitely check that the JavaScript they are including comes from a genuine sucuri domain, not one of the domains related to this IP like sucuri-cloud.com or sucuri-js.com.

So, how does the average internet shopper know that the JavaScript included on websites they’re visiting are legitimate or malicious ones hosted by unsavory hosting providers?

So, the real give away is that the hosting provider is in the Ukraine (or possibly Moldova/Russia), which is an unlikely location for a legitimate host. This isn’t necessarily easy for a human to tell, but it is easy for a DNS server, firewall or router with the right information.

One of the advantages of ThreatSTOP is that we make it incredibly easy to block entire geographic regions, so that our customers who have no legitimate reason to communicate with Eastern Europe, Nigeria or the People’s Republic of China can have all traffic to those regions blocked. This means that if a user on a network with one of these policies does, accidentally, start requesting malicious JavaScript includes from a host in these regions the connection will fail and the user will be protected.

Of course, in this case all ThreatSTOP users are protected because we have specifically added these IP addresses and domains to our lists, as well as certain related ones that showed up when we looked for other places associated with the same domains.

 

Interested in seeing for yourself ThreatSTOP’s geo-blocking (plus, many, many more) capabilities? Check out a short demo here.