{
	"id": "9440e707-224d-47d2-9b15-70f86c2e56e0",
	"created_at": "2026-04-06T00:08:13.193171Z",
	"updated_at": "2026-04-10T03:24:11.789067Z",
	"deleted_at": null,
	"sha1_hash": "522b1b9d8acb2f1f1856baa02ff2d2786aa86853",
	"title": "Web Skimmer with a Domain Name Generator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 211032,
	"plain_text": "Web Skimmer with a Domain Name Generator\r\nBy Denis Sinegubko\r\nPublished: 2020-04-17 · Archived: 2026-04-05 13:14:43 UTC\r\nOur security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a\r\nMagento database.\r\nThe malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to\r\nhxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed\r\none interesting feature of the script — instead of using one predefined domain, it generates domain names based\r\non the current date.\r\nWeb skimmer script that generates domain names based on the date.\r\nMore specifically, the domain generating algorithm returns a new domain name for each month. The changing\r\nparts of the algorithm are the current month (new Date()).getMonth(), and the current year (new\r\nDate()).getFullYear().\r\nMalicious Domains Generated for 2020\r\nDuring the month of April 2020, the algorithm was found to generate the previously mentioned domain\r\nqr201346[.]pw. In March, the domain was qr201010[.]pw.\r\nA quick check on UrlScan.io proves that the domain name was indeed used on compromised e-commerce sites\r\nback in March. Using the algorithm, we generated a list of domains that we expect this malware will be using for\r\nthe rest of 2020.\r\nMarch qr201010[.]pw\r\nApril qr201346[.]pw\r\nMay qr202284[.]pw\r\nJune qr202960[.]pw\r\nJuly qr202754[.]pw\r\nAugust qr201854[.]pw\r\nSeptember qr201089[.]pw\r\nOctober qr201161[.]pw\r\nNovember  qr202004[.]pw\r\nDecember qr202844[.]pw\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nPage 1 of 5\n\nWhat we discovered was that all 10 of these domains were registered on March 18, 2020 within one minute by a\r\nuser with the email jashkinagal@yandex.ru. All domains point to the same server 83.166.244.76 in Russia.\r\nThis registration date explains why we didn’t find any registered domains for the campaign in January and\r\nFebruary — the attack started using this algorithm in March. We also didn’t find registered domains for the next\r\nyear yet. Either the attackers didn’t expect this script to be used for that long, or they wanted to register new\r\ndomains closer to the end of the year.\r\nDomain Generating Algorithms in Website Malware\r\nThe approach of generating pseudo-random domain names to download malicious payloads is not new. Back in\r\n2012, we saw this same practice used by the massive runforestrun malware campaign. This method helps hackers\r\ntry to minimize damage from malicious domain blacklisting without having to update their injections on\r\ncompromised sites.\r\nWhile it may sound reasonable in theory (when security companies only react to what they find in the traffic\r\ngenerated by malware), in practice, it’s quite easy for security researchers to reverse engineer the domain\r\ngenerating algorithm and accurately predict which domain names the malware will be using in the future.\r\nThat being said, we haven’t seen the use of dynamic domain name generating algorithms in web skimmers before.\r\nIt shows that the bad actors are constantly looking for new tricks to increase efficiency of their malware.\r\nMalware Loaded by the Skimmers\r\nThis particular gang is known for using quite a few interesting tricks in their skimmers. Let’s start with the fact\r\nthat while the domain generating algorithm is the same on all [known] compromised sites, the paths used on the\r\ndomains usually vary from one to another. They are typically as simple as one or two characters appended to the\r\ndomain name after a slash. E.g. /fr in qr201346[.]pw/fr.\r\nA quick scan revealed a number of paths on the 83.166.244[.]76 server that returned various obfuscated web\r\nskimmer scripts (this list is not complete):\r\n/b\r\n/c\r\n/e\r\n/f\r\n/fr\r\n/h\r\n/i\r\n/k\r\n/l\r\n/m\r\n/o\r\n/p\r\n/pr\r\n/pe\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nPage 2 of 5\n\n/s\r\n/t\r\n/w\r\n/y\r\n/z\r\n...\r\nFake Payment Form and Exfiltration URL\r\nAll of these scripts inject a fake payment form (so that attackers don’t have to deal with different real forms used\r\non each site). At the final stage, the scripts send stolen data as encrypted GET parameters to\r\nhxxps://gooogletagmanager[.]online/get.php (a common Google Tag Manager impersonation trick), which is\r\nhosted on the server 83.166.244[.]152 in Russia (same subnetwork).\r\nPassing stolen data as GET parameters to a script at gooogletagmanager[.]online\r\nAnts and Cockroaches\r\nWe also noticed that some of the scripts used the ant_cockroach obfuscations that I twitted about in the beginning\r\nof March:\r\nEven the scripts with different obfuscation variations also target both English and Portuguese names of common\r\nfields of checkout forms, proving that we’re seeing the evolution of the same malware campaign.\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nPage 3 of 5\n\nHttp[.]ps Domain Pretends to be a HTTPS scheme\r\nMalwareBytes researcher Jérôme Segura has also recently covered web skimmers from this particular Magecart\r\ngroup. Specifically, their research shows how the use of the http[.]ps domain helps bad actors make their URLs\r\nlook like they were hosted on reputable websites — and that http[.]ps was just the common HTTPS scheme.\r\nIt’s also worth mentioning that several of malicious domains described in that post had the .pw TLD\r\n(autocapital[.]pw, xxx-club[.]pw) which all point to servers on the network of the Russian Llc Management\r\nCompany Svyaz (83.166.248[.]67, 83.166.244[.]189) and also match the TLD and network choices for the\r\ndomains generated by the latest variation of their web skimmers.\r\nConclusion\r\nThis past March, MalwareBytes noticed a 26% increase in website malware trying to steal payment details. As\r\nmore people are staying home and doing their shopping online, web skimmers become significantly more\r\nprofitable. This makes online credit card stealers one of the most actively developed types of website malware.\r\nAs expected, bad actors are trying every new (and old) trick in the book to increase the ROI (return on investment)\r\nof their attacks, which include targeting popular online stores and making the malware as hard to detect — and\r\nblock — as possible. Dynamically generating new domain names for each month is a relatively rare trick, though\r\nit’s probably not very efficient. We’ll definitely see more new obfuscation and detection prevention techniques\r\nfrom web skimmer authors soon.\r\nFor site owners, most of these tricks don’t make much of a difference if they follow best security practices.\r\nIntegrity control and security monitoring will help detect any unauthorized modifications as soon as possible to\r\nmitigate attack. A good website firewall will help minimize the risk of infection in the first place.\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nPage 4 of 5\n\nUpdate – April 23rd, 2020\r\nAnother variant of this malware has been discovered, with details documented in a recent Labs note.\r\nThis  version was found using the following domains:\r\nMarch ql202141[.]pw\r\nApril ql201243[.]pw\r\nMay ql201041[.]pw\r\nJune ql201721[.]pw\r\nJuly ql202657[.]pw\r\nAugust ql202989[.]pw\r\nSeptember ql202412[.]pw\r\nOctober ql201456[.]pw\r\nNovember ql201000[.]pw\r\nDecember ql201463[.]pw\r\nSource: https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html"
	],
	"report_names": [
		"web-skimmer-with-a-domain-name-generator.html"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434093,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/522b1b9d8acb2f1f1856baa02ff2d2786aa86853.pdf",
		"text": "https://archive.orkl.eu/522b1b9d8acb2f1f1856baa02ff2d2786aa86853.txt",
		"img": "https://archive.orkl.eu/522b1b9d8acb2f1f1856baa02ff2d2786aa86853.jpg"
	}
}