Pivoting on the skimmer’s domain name

Previously, I wrote about my joint research with Jacob Pimental regarding two ticket resellers that were infected with a credit card skimmer. Based on the domain name of the skimmer’s gate (opendoorcdn[.]com) and URLScan, Jacob and I found 9 more infected webshops. Some of them are still linking to the skimmer’s domain at the moment of writing, which is the 31st of January 2020.

Modus operandi

As explained in the previous blog, the usual modus operandi of the criminal actor(s) is to append the skimmer to a content delivery network’s JavaScript libraries. After that, the skimmer becomes active on all sites that use said library.

Based on the domain name that was used to exfiltrate the stolen data, opendoorcdn[.]com, I thought that there might be more to this case than we saw at first. When querying URLScan with this domain, as can be seen here, one can see multiple websites that once used to connect to the skimmer’s website.

What is odd in this case, is the absence of a legitimate script. In the case of the ticket resellers, the malicious script was appended to the legitimate jQuery slider script. In this case script only contained the skimmer. This increases the chance to be detected, but it also raises an important question: why are the affected websites loading this script?

In the previous case (where two sites were owned by the same company), the skimmer was disguised within a legitimate jQuery library. On the one hand developers could have copied the library’s code to the server and used it. On the other hand, the servers could be breached by the actor(s), who then placed the link to the skimmer on the website. As there is no more information available about this, this topic is not discussed any further in this blog.

Hosting malware

In the original search, one can also see that OpendoorCDN used to host file.exe. Jacob looked into the details, after which he found a scan on the 2nd of March 2019. This provided him with the hash of the file (0a4d34dcb3098b65528cb438839e22e46051a694fc445567a981e6729b26c5c6), which can be found on VirusTotal. Any.run classifies the malware as a Coalabot sample.

Jacob confirmed this by dumping the process using hasherezade‘s PE-Sieve. When opening the dump with dnSpy, one can clearly see the coalabot string.

Contacting the websites

Similar to the previous case, I contacted the websites. In some cases, there was no clear distinction between the end (or start) of the infection. As such, some of the time frames are a bit vague. Below, the time frame for each of the infected websites, along with proof of the infection, is given. Information regarding the contact with each site is also given below.

WebNIC – the hosting provider

Jacob contacted the hosting provider via e-mail on the 24th of January 2020. On the 25th of January 2020, they responded by saying that they would investigate the case. On the 28th of January 2020, WebNIC informed us that the website was taken down. This mitigates the risk for all affected websites from this date onward, as the skimmer cannot be loaded anymore.

SupremeProducts

Based on the data in URLScan, the first occurrence on SupremeProducts can be found on the 12th of October 2019, as can be seen here. The infection lasted at least until the 7th of November 2019, as can be seen here.

Note that both the skimmer’s URL and content of 7th of November 2019 are different from the other skimmer. When removing the obfuscation from this, I confirmed that it is exactly the same skimmer as the other one. It was generated with the same public JavaScript obfuscator, which lead to a slightly different output.

Contact was initiated via the website’s contact form on the 27th of January 2020, but we never received a reply.

PartsPlaceInc

On the 13th of November 2019, the first recorded occurrence on PartsPlaceInc was observed on URLScan, as can be seen here. The end date of the infection is unknown.

Contacted was initiated via the website’s contact form on the 27th of January 2020. Alas, no reply was given.

Bahimi

The first recorded occurrence of the skimmer on Bahimi Beachwear‘s site was on the 19th of November 2019, as can be seen here. The infection was live until the first of February 2020, with a snapshot of the 26th of January on the Wayback Machine here. Note that the US version of the site seems not to be affected.

Contact was initiated via Twitter on the 24th of January 2020, and via the website’s contact form on the 27th of January 2020. Even though we contacted the site in multiple ways, there was no response.

NaturalPigments

The first occurrence of the skimmer on NaturalPigments‘ site is sighted on 1st of December 2019, as can be seen here. The end date of the infection remains unknown.

Contact was initiated via Twitter on the 24th of January 2020, and via the website’s contact form on the 27th of January 2020. Albeit the two options, no there was no response back to us.

Zhik

A connection to the malicious domain was sighted on Zhik‘s site on the 15th of December, as can be seen here. Note that the response’s size is 0 bytes. Although there is no direct evidence that the skimmer successfully loaded, it’s worrying to see that the original site linked to the skimmer’s website.

A snapshot of the site on the Wayback Machine that dates to the 21st of December 2019 shows that there was no skimmer present anymore, as can be seen here.

Directly after reaching out on Twitter, I made a call on the 24th of January 2020 to the European office. During the call, I was given the e-mail address of the person who was responsible for the website’s maintenance. The e-mail was sent out on the 27th of January 2020. Despite our best efforts, there was no response.

Tapis-Deluxe

The first observed skimmer on Tapis-Deluxe‘s site was on the 7th of January 2020, as can be seen here. The duration of the infection is not known.

Contacted was initiated via the form on their website on the 28th of January 2020. There was no response back to us, based on the message we left in the contact form.

TitansSports

The first observed infection on TitansSports’ site was on the 9th of January 2020, as can be seen here. The skimmer was taken down on the third of February 2020. An archived version of the 26th of January shows the skimmer on the website.

Contact was initiated via e-mail on the 27th of January 2020. On the 29th of January 2020, I contacted the customer support through the given WhatsApp number. The message was read, but never answered.

TJ VIP

The first observed infection on TJ VIP dates to the 18th of January 2020, as can be seen here. On the 30th of January 2020, TJ VIP removed the skimmer from their site. A previous snapshot on the Wayback Machine shows that the site was infected until a few days prior.

Contact was initiated via Twitter on the 24th of January 2020, as well as via e-mail on the 27th of January 2020. On the 29th of January 2020, contact was initiated via the live chat function. I urged the support to look into the e-mail that I had sent previously, and to contact their security team. The customer support told me that I would receive an answer shortly, which never came.

CDNN Sports

The first sighting of the skimmer on CDNN Sports‘ site was present on the 27th of November 2019, as can be seen here. The information on the Wayback Machine shows that the infection was not present anymore on the 12th of December 2019.

On the 27th of January 2020, contact was initiated via the website’s contact form. Alas, no response came back.

Conclusion

If you have shopped at one of the mentioned sites around the infected period, it is suggested to contact your bank and request a new credit card. Also note that all information that was entered on the site’s payment form was stolen by the credit card skimmer and should be considered compromised.

Additionally, I’d like to thank Jacob for the clear communication and cooperation when conducting this research.


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.