# Following the tracks of MageCart 12

**[maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/](https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/)**

17/02/2020

This research is a follow up on the two previous articles about MageCart 12. At first, two
infected ticket resellers were found, after which multiple other infected websites were caught
[by Jacob and me. RiskIQ also followed up on our findings with additional research where](https://www.riskiq.com/blog/labs/magecart-group-12-olympics/)
they found two popular websites to be infected with a credit card skimmer that has been
attributed by MageCart 12.

This article provides new websites that have been infected, but also websites that were
infected once more. Before going into the websites, a small note about the skimmer’s modus
operandi is made.

## The modus operandi

Similar to the opendoorcdn.com campaign, there is no legitimate JavaScript code within the
file. The skimmer is (similar to the opendoorcdn.com) hosted on an external site,
_toplevelstatic.com, which resolves to different IP addresses. The location of these IP_
addresses are mostly (if not all) located in Russia.

The used obfuscation is similar to the previous skimmer script, where the first stage functions
as a loader, whereas the second stage contains the original script with added garbage code
and string obfuscation. Note that the second stage script is only loaded if it is not tempered
with, based on the hash check that is included in the second stage.

When removing the dead code and string obfuscation from the second stage, the script is
identical to the original input, aside from the function names. This skimmer script is identical
to the one that was found on opendoorcdn.com, aside from the exfiltration gate’s address.

## The victims

All infected sites have been contacted prior to the publication of this blog, although there was
no response back to us. Information about each victim is given below.

### Suplementos Gym

The first sighting of a skimmer on [Suplementos Gym was on he 31st of January 2020. This](https://www.suplementosgym.com.mx/)
[specific skimmer still connected back to opendoorcdn.com, which was taken down by the](https://urlscan.io/result/122dc826-6504-4d97-980c-fed54d37f27a/)
[combined efforts of Jacob and myself. The first recorded sighting of the toplevelstatic.com](https://web.archive.org/web/20200207204213/https://www.suplementosgym.com.mx/)


-----

skimmer was on the 7th of February 2020. The latest recorded date that the skimmer was
[active, was on the 10th of February 2020, as can be seen here. Contact was established via](https://urlscan.io/result/ebe752f5-3546-4188-a28a-e04333e338a3/)
e-mail, but there was no response back.

### Bahimi

The [Bahimi web shop, which was also infected with the opendoorcdn.com skimmer in](https://bahimi.com/gbp)
[November 2019, has also been infected with the toplevelstatic.com skimmer on the 7th of](https://web.archive.org/web/20200207191831/https://bahimi.com/gbp%20)
February 2020. It is unknown for how long the skimmer remained active on the website.
[Albeit our best efforts, there was no response to our e-mail and Tweet.](https://twitter.com/Libranalysis/status/1225903135991963649)

### TitansSports

[TitansSport is the last entry in the list of victims that was also infected with the](https://www.titanssports.com.br/)
[opendoorcdn.com skimmer in early January 2020. The toplevelstatic.com infection was](https://urlscan.io/result/206789f9-6269-49a5-99df-f2cde9225801/)
present on the 7th of February 2020, although the exact time span is not yet known. Contact
was made via e-mail and WhatsApp, but no response was received.

### BVC

[BVC got infected on the 3rd of February 2020, as can be seen here. A snapshot of the 7th of](https://bvc.com/)
[February 2020 shows that the skimmer was still active, continuing on the 16th of February.](https://web.archive.org/web/20200216225101/https://bvc.com/)
[The skimmer is still active at the time of writing, which is the 19th of February 2020. An e-](https://web.archive.org/web/20200219215430/https://bvc.com/)
mail was sent to inform BVC, but no response was received.

### MyMetroGear

[The infection on MyMetroGear was first sighted on the 4th of February 2020. The infection](https://mymetrogear.branditportal.com/customer/account/login/)
[continued through the 7th of February, until the](https://web.archive.org/web/20200207194948/https://mymetrogear.branditportal.com/customer/account/login/) [16th of February 2020. The skimmer is still](https://web.archive.org/web/20200216225324/https://mymetrogear.branditportal.com/customer/account/login/)
[live at the time of writing, which is the 19th of February 2020. No answer was given based on](https://web.archive.org/web/20200219215307/https://mymetrogear.branditportal.com/customer/account/login/)
the e-mail we sent to MyMetroGear.

### True Precision

[True Precision‘s web shop was infected on the 4th of February 2020. The infection is](https://true-precision.com/)
ongoing at the time of writing (which is the 19th of February 2020). The infection was also
[stored in snapshots on the 7th of February 2020 and the](https://web.archive.org/web/20200207195414/https://true-precision.com/) [19th of February 2020. There was](https://web.archive.org/web/20200216225739/https://true-precision.com/)
[no response to our e-mail nor Tweet.](https://twitter.com/Libranalysis/status/1225903135991963649)

### Fashion Window Treatments

[Fashion Window Treatments got infected on the 6th of February, and is](https://fashionwindowtreatments.com/) [still infected at the](https://web.archive.org/web/20200219215337/https://fashionwindowtreatments.com/)
time of writing (the 19th of February 2020). There was no response back based on our e-mail
or [Tweet.](https://twitter.com/Libranalysis/status/1225903135991963649)


-----

### Skin Trends

[Skin Trends‘s web shop was infected on the 6th of February 2020. After the](https://www.skintrends.com/) 7th of February
2020, there is no record of an infection. Since our data collection is not exhaustive, the exact
end date of the infection is unknown, but at least prior to the 16th of February 2020. No
[response was received towards our e-mail nor Tweet.](https://twitter.com/Libranalysis/status/1225903135991963649)

### Natonic

[Natonic got infected on the 10th of February 2020. On the](https://natonic.com.au/) [17th of February 2020, the entire](https://web.archive.org/web/20200217000810/https://natonic.com.au/)
skimmer was put on the website as a piece of JavaScript, instead of being loaded externally.
Shortly after that, the skimmer was not present anymore. No response was received based
on the e-mail that we sent out.

## Conclusion

If you have shopped at one of the mentioned sites around the infected period, it is suggested
to contact your bank and request a new credit card. Also note that all information that was
entered on the site’s payment form was stolen by the credit card skimmer and should be
considered compromised.

Additionally, I’d like to thank Jacob for the clear communication and cooperation when
conducting this research.


-----