# Closing in on MageCart 12 **maxkersten.nl/2020/02/24/closing-in-on-magecart-12/** 24/02/2020 This is the fourth blog with details on the activities of MageCart 12. In this article, yet another part of their ongoing campaign is uncovered. The amount of infected sites for this campaign is higher than in the previous cases. Before diving into the infected sites, and the rough duration of the infections, information regarding the skimmer itself will be given. ## Modus operandi The modus operandi for this campaign is slightly different when comparing it to the other research that has been published so far. The skimmer, hosted on jquerycdn.su, changed four times during the campaign. The earliest recorded date of a hacked site linking to the skimmer domain is on the 30th of September 2019, whereas the latest new infection date is the 19th of February 2020. In the four versions of the skimmer that were used in this campaign, the used obfuscation method is the same as in the other reported campaigns. The first stage loads the actual skimmer script, which is polluted with garbage code. The skimmer itself is different, compared to the first versions. The skimmer grabs all fields from the page, rather than all forms. Although the approach and script are different, the general concept remains the same: obtaining credit card credentials. The exfiltration domains are linked to other skimming campaigns from MageCart 12, like the [one Marco Ramilli wrote about, as well as](https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/) [Jacob‘s blog.](https://www.goggleheadedhacker.com/blog/post/16) ## Infected web shops All but three affected web shops have been contacted via e-mail or their web form on the 21st of February 2020. For each of the three uninformed web shops, there is a note in the list with the reason why. Similar to previous cases, I did not receive any response back at the time of writing (which is the 25th of February 2020). The given dates are based upon the data set I created. This set is, by definition, not 100% accurate. As such, the actual dates might slightly differ. Additionally, it is possible that a website was not infected for the complete time between the begin and the end date, but this information is not present in my data set. ----- The mentioned dates are based upon the most accurate information from the data set and limited to this skimmer domain. Some sites are infected with another domain that is operated by the same group. To avoid confusion and keep things clear, this has not been included in this post. Note that the skimmer domain (jquerycdn.su) has been down for a few days at least. This means that several sites that are still infected, are currently not actively sharing credit cards with the criminal actors, but this is subject to change at any given moment. The list below is ordered from the past until the present, meaning the oldest infections are listed first. The end date is not taken into account at the sorting. [BioPets was infected from the](https://biopets.ro/) [30th of September 2019 and the infection is ongoing](https://urlscan.io/result/3972f36d-6525-490f-a97c-8087238d23a0/) [until now. The location where the skimmer is hosted right after that is different](https://web.archive.org/web/20200223155537/http://biopets.ro/) compared to the initial skimmer. [Wellspring Wholesale was infected from the](https://wholesale.wellspringgift.com/) [30th of September 2019 until the 9th of](https://urlscan.io/result/ca582723-03d1-4ed0-ac55-a5295bc0b0fb/) February 2020. [Wellspring Customer was infected from the](https://consumer.wellspringgift.com/) [30th of September 2019 until the](https://urlscan.io/result/fa2a2e95-2858-4bd1-b949-2030d40df35b/) 9th of Feburary 2020. [D2D Organics was infected from the](https://www.d2dorganics.com/) [30th of September 2019 until the](https://urlscan.io/result/e2af311c-25a1-4607-ba6b-784d06f77e22/) first of November 2019. At some point in time after that, the site went down. As such, there was no method to contact the owners of the website. [Loud Shirts USA was infected from the](https://loudshirtsusa.com/) [first of October 2019 until somewhere prior to](https://urlscan.io/result/c5cee07b-081c-4bb0-a658-9f0c007bd305/) the [9th of Feburary 2020.](https://web.archive.org/web/20200209183154/https://loudshirtsusa.com/) [Nilima Home was infected from the](https://www.nilimahome.com/) [first of October 2019 until the](https://urlscan.io/result/67a8b883-01a7-48f3-bf76-d9468beeb95d/) [9th of February 2020.](https://web.archive.org/web/20200209184015/http://nilimahome.com/) [Silk Naturals was infected from the](https://www.silknaturals.com/store/) [first of October 2019 until the](https://urlscan.io/result/8afc7913-1570-4a0a-97b2-abc80cc0b1f9/) 16th of February 2020. [JD’s Sound & Lighting was infected from the](https://www.jdsound.com.au/) [second of October 2019 until the](https://urlscan.io/result/24dcd5e3-06d9-4728-b07b-b6b40b8b7635/) 9th of February 2020. [Nilima Rugs was infected from the](https://nilimarugs.com/) [second of October 2019 until the](https://urlscan.io/result/65490bbd-3ab7-4445-8475-e8b8de30f611/) 10th of February 2020. [Martin Services was infected from the](https://www.martinservices.ie/) [second of October 2019 until an unknown point](https://urlscan.io/result/ad5d3140-7dc4-45c3-bf76-cebfa1c5fa1d/) in the future. [The Cheshire Horse was infected from the](https://www.cheshirehorse.com/) [6th of October 2019 until the](https://urlscan.io/result/3fba587c-72fb-411b-b6f2-c504e1982321/) 11th of December 2019. [Kl&in More was infected on the](https://www.kleinundmore.de/) [7th of October 2019. No more information is available.](https://urlscan.io/result/e70925c8-c336-4f95-906b-58e27b193b73/) [Schlaf Team was infected on the](https://www.schlafteam.de/) [17th of October 2019. No more information is](https://urlscan.io/result/cf819ca7-4f8b-463f-91a0-d08c78939049/) available. [The Top Collection was infected from the](https://thetopcollection.com/) [19th of October 2019 until at least the](https://urlscan.io/result/c24b65bb-9a32-4f5b-8cb7-74cf8d9bf9c4/) 25th of February 2020. [Selaria Dias was infected from the](https://www.selariadias.com.br/) [5th of November 2019 until the](https://urlscan.io/result/9204ef27-5173-4310-9b16-eb7faf154025/) 21st of February 2020. [Tile was infected from the](https://www.tile.co.uk/) [13th of November 2019 until the](https://urlscan.io/result/c4390a20-aaeb-4ab4-8cd8-efc13b226ade/) [28th of January 2020.](https://urlscan.io/result/be964179-d160-4810-a33a-1c5379005807/) ----- [Liquorish Online was infected from the](https://www.liquorishonline.com/) [13th of November 2019 until the](https://urlscan.io/result/7207fae2-3a2d-4116-9845-721b81cd160b/) 24th of November. [Starting Line Products was infected on the](https://www.startinglineproducts.com/) [19th of November 2019. No more](https://urlscan.io/result/d1ee2ab2-010d-4cf2-aa37-b2e36d723909/) information is available. [Sport Everest was infected from the](https://www.sporteverest.si/) [20th of November 2019 until at least the 25th of](https://urlscan.io/result/c4900f1e-9324-4883-9f44-b55994e01cbc/) February 2020. [ABC School Supplies was infected on the](https://abcschoolsupplies.com.au/) [26th of November 2019 until the](https://urlscan.io/result/986d2a49-ce68-4a7e-a41b-7e2231a6e501/) 10th of February 2020. [Motor Book World was infected on the](https://www.motorbookworld.com.au/) [26th of November 2019 until the](https://urlscan.io/result/eed7b026-5ad6-4757-8e4e-f7c3138b437f/) 22nd of February 2020. [Contadores Digital was infected on the](https://contadoresdigital.com.br/) [second of December 2019. No more](https://urlscan.io/result/504fb72c-c128-44a0-963c-969e5713b870/) information is available. [Giocattoli Negozio was infected on the](https://www.giocattoli-negozio.com/) [12th of December 2019 until at least the](https://urlscan.io/result/2ace5deb-8a21-4bf9-8bd6-05708fee8036/) 25th of February 2020. [Academic Bag was infected on the](https://www.academicbag.com/) [6th of January 2020. No more information is](https://urlscan.io/result/feda4226-acca-420c-a5e5-52ad9c0ccd3d/) available. [SoleStar was infected from the](https://www.solestar.de/) [11th of January 2020 until at least the](https://urlscan.io/result/71e12a70-519f-4793-bb97-cb01067c76b5/) 25th of February 2020. [Surf Bussen Travel was infected from](https://surfbussen.travel/) [17th of January 2020 until the](https://urlscan.io/result/8cf965ad-4c67-4c50-af86-8ac1ecbf6e4a/) 10th of January 2020. [Surf Bussen Nu was infected on the](https://www.surfbussen.nu/) [18th of January 2020. No more information is](https://urlscan.io/result/60a434ad-195a-4534-aae8-5c6a9e349865/) available. [Haight Ashbury Music Center was infected on the](https://haightashburymusic.com/) [24th of January 2020 until the](https://urlscan.io/result/501b0a0b-e54e-4039-b8bc-5bafb1cb7c40/) 18th of February 2020. Alas, the form on the website did not allow me to submit a message. Aside from that, there were no other contact methods available. As such, I was not able to inform them. [MyCluboots was infected from the](https://www.mycluboots.com/) [25th of January 2020 until at least the](https://urlscan.io/result/cb58477a-fb2b-4a0d-9f5d-2c2f4183b613/) 25th of February 2020. [Sol’s Italia was infected on the](https://shop.sols-italia.it/) [30th of January 2020. No more information is available.](https://urlscan.io/result/03cb8154-9d58-4587-9a1f-937a4c09d8a2/) [Parkwood Middle School Bears was infected from the](https://parkwoodmiddlegear.com/) [31st of January 2020 until at](https://urlscan.io/result/1399a815-7095-41a0-8331-a373998c51d8/) least the [25th of February 2020.](https://web.archive.org/web/20200225000923/https://parkwoodmiddlegear.com/) [Voltacon was infected from the](https://voltaconsolar.com/) [12th of February 2020 until the](https://urlscan.io/result/8fef968e-5fe7-4859-b163-1b64de3ea1b8/) [25th of February 2020.](https://web.archive.org/web/20200225000931/https://voltaconsolar.com/) [Pitcher’s Sports was infected on the](https://pitcherssportsonline.com/) [13th of February 2020 until at least the](https://urlscan.io/result/37122f1a-5725-422f-86a1-94251b58e7d2/) 25th of February 2020. Alas, the only possible contact method was via a phone call. Since this was not an option for me, I could not contact them. [Powerhouse Marina was infected on the](https://www.powerhousemarina.com/) [13th of February 2020 until the](https://urlscan.io/result/11ed005c-b191-4992-8e04-fabcf5baa36a/) 25th of February 2020. [Sukhi Rugs was infected on the](https://www.sukhirugs.com/) [13th of February 2020. No more information is](https://urlscan.io/result/18413724-a803-4882-b246-def8a1bab1fa/) available. [ZooRoot was infected from the](https://www.zooroot.com/) [14th of February 2020 until at least the](https://urlscan.io/result/df26348d-2ae8-4692-bf07-d3ab398c71da/) 25th of February 2020. [Sukhi was infected on the](https://www.sukhi.de/) [17th of February 2020. No more information is available.](https://urlscan.io/result/d425ca56-5b9c-4d77-9ca3-442aa0dbc868/) ----- [Integral Yoga Distribution was infected on the](https://new.iydistribution.com/) [18th of February 2020 until at least the](https://urlscan.io/result/1008692f-2a13-4bb5-833a-62647331f341/#transactions) [25th of February 2020.](https://urlscan.io/result/a0d79392-6c5d-49cb-89b2-41da55c57792) [Kitchen And Couch was infected on the](https://www.kitchenandcouch.com/) [19th of February 2020 until the](https://urlscan.io/result/db9bf20e-056a-489c-87b1-64be85429cbe/#transactions) 25th of February 2020. ## Conclusion If you have shopped at one of the mentioned sites around the infected period, it is suggested to contact your bank and request a new credit card. Also note that all information that was entered on the site’s payment form was stolen by the credit card skimmer and should be considered compromised. -----