Magecart skimmers found on Amazon CloudFront CDN
By Jérôme Segura
Published: 2019-06-03 · Archived: 2026-04-05 20:45:24 UTC
A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 1 of 351

Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 2 of 351

Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 3 of 351

criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 4 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 5 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 6 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 7 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 8 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 9 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 10 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 11 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 12 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 13 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 14 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 15 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 16 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 17 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 18 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 19 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 20 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 21 of 351

Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 22 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 23 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 24 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 25 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 26 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 27 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 28 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 29 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 30 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 31 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 32 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 33 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 34 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 35 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 36 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 37 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 38 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 39 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 40 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 41 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 42 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 43 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 44 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 45 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 46 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 47 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 48 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 49 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 50 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 51 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 52 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 53 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 54 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 55 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 56 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 57 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 58 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 59 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 60 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 61 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 62 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 63 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 64 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 65 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 66 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 67 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 68 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 69 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 70 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 71 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 72 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 73 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 74 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 75 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 76 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 77 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 78 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 79 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 80 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 81 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 82 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 83 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 84 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 85 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 86 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 87 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 88 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 89 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 90 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 91 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 92 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 93 of 351

Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 94 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 95 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 96 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 97 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 98 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 99 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 100 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 101 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 102 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 103 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 104 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 105 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 106 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 107 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 108 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 109 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 110 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 111 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 112 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 113 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 114 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 115 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 116 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 117 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 118 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 119 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 120 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 121 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 122 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 123 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 124 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 125 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 126 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 127 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 128 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 129 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 130 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 131 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 132 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 133 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 134 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 135 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 136 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 137 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 138 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 139 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 140 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 141 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 142 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 143 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 144 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 145 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 146 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 147 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 148 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 149 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 150 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 151 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 152 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 153 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 154 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 155 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 156 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 157 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 158 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 159 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 160 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 161 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 162 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 163 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 164 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 165 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 166 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 167 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 168 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 169 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 170 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 171 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 172 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 173 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 174 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 175 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 176 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 177 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 178 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 179 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 180 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 181 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 182 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 183 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 184 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 185 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 186 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 187 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 188 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 189 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 190 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 191 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 192 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 193 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 194 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 195 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 196 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 197 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 198 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 199 of 351

Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 200 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 201 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 202 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 203 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 204 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 205 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 206 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 207 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 208 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 209 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 210 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 211 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 212 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 213 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 214 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 215 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 216 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 217 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 218 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 219 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 220 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 221 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 222 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 223 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 224 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 225 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 226 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 227 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 228 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 229 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 230 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 231 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 232 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 233 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 234 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 235 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 236 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 237 of 351

Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 238 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 239 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 240 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 241 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 242 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 243 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 244 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 245 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 246 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 247 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 248 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 249 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 250 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 251 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 252 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 253 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 254 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 255 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 256 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 257 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 258 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 259 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 260 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 261 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 262 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 263 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 264 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 265 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 266 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 267 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 268 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 269 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 270 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 271 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 272 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 273 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 274 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 275 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 276 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 277 of 351

Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 278 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 279 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 280 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 281 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 282 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 283 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 284 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 285 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 286 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 287 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 288 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 289 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 290 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 291 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 292 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 293 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 294 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 295 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 296 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 297 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 298 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 299 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 300 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 301 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 302 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 303 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 304 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 305 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 306 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 307 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 308 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 309 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 310 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 311 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 312 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 313 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 314 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 315 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 316 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 317 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 318 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 319 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 320 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 321 of 351

Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 322 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 323 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 324 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 325 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 326 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 327 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 328 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 329 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 330 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 331 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 332 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 333 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 334 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 335 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 336 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 337 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 338 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 339 of 351

What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 340 of 351

wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 341 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 342 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 343 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 344 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Update (06-08-2019): The compromises of Amazon S3 buckets continue and some large sites are being affected.
Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official
NBA.com website.
The skimmer was inserted in this JavaScript library:
hxxps://s3[.]amazonaws[.]com/wsaimages/js/wizards[.]js
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 345 of 351

Interestingly, this same library had already been altered (loading content from com (opens in a new tab)”>) some
time earlier in January of this year. We have reported this incident to Amazon. A complete archived scan of the
page can be found here.
—
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network
(CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers.
Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain,
this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own libraries or
link to code developed specifically for them and hosted on a custom AWS S3 bucket.
Without properly validating content loaded externally, these sites are exposing their users to various threats,
including some that pilfer credit card data. After analyzing these breaches, we found that they are a continuation of
a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs.
The ideal place to conceal a skimmer
CDNs are widely used because they provide great benefits to website owners, including optimizing load times and
cost, as well as helping with all sorts of data analytics.
The sites we identified during a crawl had nothing in common other than the fact they were all using their own
custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN
repository would be themselves.
This first example shows a JavaScript library that is hosted on its own dedicated AWS S3 bucket. The skimmer
can be seen appended to the original code and using obfuscation to conceal itself.
This second case shows the skimmer injected not just in one library, but several contained within the same
directory, once again part of an S3 bucket that is only used by this one website.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 346 of 351

Finally, here’s another example where the skimmer was injected in various scripts loaded from a custom
CloudFront URL.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 347 of 351

Exfiltration gate
This skimmer uses two levels of encoding (hex followed by Base64) to hide some of its payload, including the
exfiltration gate (cdn-imgcloud[.]com). The stolen form data is also encoded before being sent back to the
criminal infrastructure.
While we would have expected to see many Magento e-commerce shops, some of the victims included a news
portal, a lawyer’s office, a software company, and a small telecom operator, all running a variety of Content
Management Systems (CMSes).
As such, many did not even have a payment form within their site. Most simply had a sign up or login form
instead. This makes us believe that Magecart threat actors may be conducting “spray and pray” attacks on the
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 348 of 351

CDNs they are able to access. Perhaps they are hoping to compromise libraries for sites with high traffic or tied to
valuable infrastructure from which they can steal input data.
Connection with existing campaign
The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the
same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent
supply-chain attacks.
RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another
(ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 349 of 351

A cursory look at this new cdn-imgcloud[.]com gate shows that it was registered just a couple days after the
RiskIQ blog post came out and uses Carbon2u (which has a certain history) as nameservers.
Creation Date: 2019-05-16T07:12:30Z
Registrar: Shinjiru Technology Sdn Bhd
Name Server: NS1.CARBON2U.COM
Name Server: NS2.CARBON2U.COM
The domain resolves to the IP address 45.114.8[.]160 that belongs to ASN 55933 in Hong Kong. By exploring the
same subnet, we can find other exfiltration gates also registered recently.
What we can also see from the above VirusTotal graph, is that the two domains (font-assets[.]com and ww1-
filecloud[.]com) that were previously sinkholed to 179.43.144[.]137 (server in Switzerland) came back into the
hands of the criminals.
Historical passive DNS records show that on 05-25-2019, font-assets[.]com started resolving to 45.114.8[.]161.
The same thing happened for ww1-filecloud[.]com, which ended up resolving to 45.114.8[.]159 after a few swaps.
Finding and exploiting weaknesses
This type of attack on private CDN repositories is not new, but reminds us that threat actors will look to exploit
anything that is vulnerable to gain entry into systems. Sometimes, coming in from the front door might not be a
viable option, so they will look for other ways.
While this example is not a third-party script supply-chain attack, it is served from third-party infrastructure.
Beyond applying the same level of access control to your own CDN-hosted repositories as your actual website,
other measures—such as validation of any externally loaded content (via Subresource Integrity checks, for
example)—can save the day.
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 350 of 351

We reached out to the victims we identified in this campaign and several have already remediated the breach. In
other cases, we filed an abuse report directly with Amazon. Malwarebytes users are protected against the
skimmers mentioned in this blog and the new ones we discover each day.
Indicators of Compromise (IoCs)
ww1-filecloud[.]com,45.114.8[.]159
cdn-imgcloud[.]com,45.114.8[.]160
font-assets[.]com,45.114.8[.]161
wix-cloud[.]com,45.114.8[.]162
js-cloudhost[.]com,45.114.8[.]163
Source: https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
Page 351 of 351