# Lil’ skimmer, the Magecart impersonator

**[blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/](https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/)**

Threat Intelligence Team June 28, 2021

_This blog post was authored by Jérôme Segura_

A very common practice among criminals consists of mimicking legitimate infrastructure
when registering new domain names. This is very true for Magecart threat actors who love to
impersonate Google, jQuery and many other popular brands.

In this post we look at a skimmer recently disclosed by security researchers that has been
around for over a year but managed to keep a low profile. In addition to naming several of
their domains after Google, the threat actor is also naming their domains after the websites
they have compromised.

Often, identifying additional infrastructure on the same network is a relatively simple
exercize. But in this case it is more complex because the hosting servers are comprised of a
large number of domains names, many of which are also malicious but not skimming related.
Hiding in the noise is another common trait for threat actors.

## Keeping it simple


-----

This skimmer was publicly mentioned by Eric Brandel in early June 2021 and unlike
Magecart JavaScript code, this one is very straightforward. Jordan Herman had also
[previously spotted this skimmer and referred to it as](https://twitter.com/TracerSpiff/status/1399840920057659404?s=20) [Lil’ Skim. Based on an urlscan.io crawl,](https://twitter.com/TracerSpiff/status/1399852523347927046?s=20)
[it appears the earliest instance is from at least March 2020, via googie[.]host.](https://urlscan.io/responses/44bac77e9f8c60d6b01729b2d447b748c7e6e123dfd8ee87867d3fd13489503d/)

[Newish Google themed digital skimming/#magecart domains](https://twitter.com/hashtag/magecart?src=hash&ref_src=twsrc%5Etfw)

googie-analitycs.site
googie-analytics.online
googie-analytics.website
googletagsmanager.website

[Example on @urlscanio](https://twitter.com/urlscanio?ref_src=twsrc%5Etfw)
[//googie-analytics.online/js/analytics.jshttps://t.co/wJMx4qP1z3](https://t.co/wJMx4qP1z3)

[Very simple/clean code: pic.twitter.com/L6QuU6ImJR](https://t.co/L6QuU6ImJR)

— Eric Brandel (@AffableKraut) [June 1, 2021](https://twitter.com/AffableKraut/status/1399786791931101192?ref_src=twsrc%5Etfw)

## A dense network hiding more skimmer domains

A quick review of the [Autonomous System (AS198610 Beget) where those skimmer domains](https://www.arin.net/resources/guide/asn/)
are found shows a significant number of malicious hosts tied to phishing kits, Windows
payloads, and Android malware just to name a few. Two IP addresses in particular,
87.236.16[.]107 and 87.236.16[.]10, are host to additional skimmer domains belonging to Lil’
Skim.


-----

Figure 1: VirusTotal Graph showing a number of Google-like domains
[For example, tidio[.]fun is a play on tidio.com, a chat application for website owners wishing](https://www.tidio.com/)
to interact with customers. We recognize the same Lil’ Skim code here as well:

Figure 2: tidio[.]fun hosts the same Lil’ Skim skimmer


-----

## Custom domains by compromised store

And then we discovered a number of skimmer domains that were named after compromised
stores. This in itself is not a new practice and is often seen with phishing sites. The threat
actor simply replaced the top level domain name with .site, .website or .pw to create hosts
that load the skimmer code and receive stolen credit card data.

Figure 3: Legitimate website and copycat domain hosting a skimmer


-----

Figure 4: Legitimate website and copycat domain hosting a skimmer
All the domains we found (c.f. IOCs) were hosted on 87.236.16[.]107.

## Conclusion

Lil’ Skim is a simple web skimmer that is fairly easy to identify and differs from other
Magecart scripts. The threat actor is keen of impersonating internet companies but also the
victim sites it goes after.

We were able to track this actor across the same ASN where they registered a number of
different domains over a period of at least a year. There likely are more pieces of
infrastructure to uncover here, but that might be a time consuming process.

We have notified the stores that have been impacted by this campaign. Additionally,
Malwarebytes customers are already protected via our web protection module across our
[different products including Malwarebytes Browser Guard.](https://www.malwarebytes.com/)

## Indicators of Compromise

The following IOCs are linked to urlscan.io crawls whenever possible.


-----

**Standard skimmer domains**
```
googletagsmanager[.]website
googie-analitycs[.]site
googie-analytics[.]online
googie-analytics[.]website
cdnattn[.]site
facebookmanagers[.]pw
googletagmanager[.]space
googie[.]website
googleapis[.]website
googie[.]host
tidio[.]fun
jquery[.]fun
cloudfiare[.]site

```
**Skimmer domains impersonating compromised sites**
```
perfecttux[.]site
gorillawhips[.]site
bebedepotplus[.]site
postguard[.]website
dirsalonfurniture[.]site
dogdug[.]website
bebedepotplus[.]website
perfecttux[.]website

```
**Skimmer IPs**

**Known victim sites**


-----