Tracking Down Magecart Group 12

This is a continuation on the joint analysis of the opendoorcdn domain with Max Kersten. Thanks to an article by RiskIQ we now know that the Magecart sample we were analyzing was related to Magecart Group 12. RiskIQ also identified two more domains related to the group, toplevelstatic[.]com and storefrontcdn[.]com. After hunting through other OSINT sources, several more domains were also found.

Initial Analysis

The first thing that was noticed was that the initial script being hosted on toplevelstatic[.]com/settig/min.min.js was the same one that was hosted on opendoorcdn[.]com. The group seemed to change their script around February 4th, 2020. The newly generated script deobfuscates to the same script that was seen in the past. The obfuscation of the script appears to be done in the same style as the previous, but is using different variable names and strings.

Compromised Sites

Nine sites were infected with this version of the skimmer. The infection on some of the sites was observed as early as January 30th, 2019. A few of the sites were also infected by the opendoorcdn skimmer, meaning the Magecart group has regained some of their foothold with these sites. Here is the table of currently infected sites:

Company Site First Seen Still Compromised
Suplementos Gym Jan 31st, 2020 No
Bahimi Feb 7th, 2020 No
TitansSport Feb 7th, 2020 No
BVC Feb 3rd, 2020 Yes
MyMetroGear Feb 4th, 2020 Yes
True Precision Feb 4th, 2020 Yes
Fashion Window Treatments Feb 6th, 2020 Yes
Skin Trends Feb 6th, 2020 No
Natonic Feb 10th, 2020 Yes

More Leads and More Sites

Thanks to UrlScan, RiskIQ, and other Open Source tools, it was possible to pivot off of the toplevelstatic domain to find several other domains relating to MC12. Each domain having their own set of targeted websites. The new domains are as follows:


Hosted two versions of scripts that were obfuscated in the same style as seen previously. Both the obfuscated and deobfuscated portions of the scripts were hosted on the site. The targets include:

Company Site First Seen Still Compromised
Cheshire Horse Nov 24th, 2019 No
Starting line Products Inc. Dec 6th, 2019 Yes
BroadTicket Dec 11th, 2019 Yes
Casamarela Feb 3rd, 2020 Yes
Arte Sacro Feb 3rd, 2020 Yes
Plus Medical Feb 3rd, 2020 Yes
Room Bird Feb 3rd, 2020 Yes
BroadTour Feb 3rd, 2020 Yes
Assokappa Feb 4th, 2020 Yes
KLX Feb 4th, 2020 Yes
Martin Services Feb 4th, 2020 No
Sickboy Motorcycles Feb 4th, 2020 Yes
Siam Florist Feb 5th, 2020 Yes
Bumper Works Online Feb 5th, 2020 Yes
Feb 5th, 2020
Feb 5th, 2020
Feb 5th, 2020
Feb 5th, 2020
Feb 5th, 2020
Feb 6th, 2020
Thunderkiss NW Feb 5th Yes
Selaria Dias Feb 6th, 2020 Yes
Thunderdome Feb 6th, 2020 Yes
Oh So Custom Feb 16th, 2020 Yes

Obfuscated Script hosted on site:

Deobfuscated Script hosted on site:

storefrontcdn[.]com and wappallyzer[.]com

Originally storefrontcdn[.]com was seen targeting the site on January 27th, 2020. The script host was changed to wappallyzer[.]com (a typosquatting of on February 6th, 2020. The reference to the malicious script has since been taken down.


This looks to be an emerging threat. It was just found February 17th, 2020 on The group appears to be changing from the toplevelstatic domain to this one. This has only been seen on the Natonic website so far.

Commanality Between Attacks

All of the compromised sites are running a version of Magento. This is a common target for Magecart groups and is where Magecart originally got its name. Other than running Magento, the impacted sites do not seem to have anything else in common.


All the compromised sites have been contacted. The charts above show which sites are still infected and which ones have removed the reference to the malicious domain. Unfortunately, there has been no word from any of the companies that were impacted. Hopefully they will remove the reference soon. Domain takedown requests were also submitted for the malicious domains. So far both storefrontcdn[.]com and wappallyzer[.]com have been taken down by NameCheap. 1API appeared to be the owner of the domain e4[.]ms, but redirected to BRS Media, who redirected again to REG.RU, who said that it was not violating their terms of service. As for toplevelstatic[.]com and stat-group[.]com, Eranet has not responded to any emails sent to their abuse address. Those domains still remain up and are still hosting the malicious skimmers.


Many of these sites have been the victims of skimming attacks before, so it seems that they have not fixed whatever vulnerabilites they had for the initial infection to take place. I urge these sites to patch as soon as possible to avoid another infection. I would like to thank NameCheap for being quick to respond and take the domains down. If you have purchased from any of these sites recently, please call your bank about replacing your card as it may be compromised. If you have any questions or comments feel free to let me know on my Twitter or LinkedIn.

Thanks for reading and happy reversing!

Article Link: