A study by RiskIQ, which has been tracking the Magecart group for some time, said the secondary actors were aware that breached websites were still likely to be communicating with domains that were once used for skimming and exfiltrating credit card data.
These sites were bought by the secondary group and then used for malvertising or other threat activity, RiskIQ said.
"The challenge with these domains is that many website owners were never aware of an active skimmer threat on their site in the first place," RiskIQ threat researcher Yonathan Klijnsma said.
The RiskIQ study includes details on the following:
- The lifecycle of a malicious domain;
- How bad actors take advantage of old Magecart domains;
- How to read subtle WHOIS changes that indicate a takeover; and
- Tips for site owners to maintain visibility into the code on their site.