# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://gwillem.gitlab.io/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/

magentocore.net

# Reference: https://www.riskiq.com/blog/labs/magecart-keylogger-injection/

abuse-js.link
angular.club
cdn-js.link
docstart.su
govfree.pw
jquery-cdn.top
js-abuse.link
js-abuse.su
js-cdn.link
js-link.su
js-magic.link
js-mod.su
js-save.link
js-save.su
js-start.su
js-stat.su
js-sucuri.link
js-syst.su
js-top.link
js-top.su
jscript-cdn.com
lolfree.pw
mage-cdn.link
mage-js.link
mage-js.su
magento-cdn.top
mageonline.net
mipss.su
mod-js.su
mod-sj.link
sj-mod.link
sj-syst.link
stat-sj.link
statdd.su
statsdot.eu
stecker.su
stek-js.link
syst-sj.link
top-sj.link
truefree.pw

# Reference: https://www.riskiq.com/blog/labs/magecart-british-airways-breach/

http://89.47.162.248
baways.com

# Reference: https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/

http://85.93.5.188
http://94.156.133.211
webfotce.me

# Reference: https://twitter.com/bad_packets/status/1043809501516726272

gamacdn.com

# Reference: https://twitter.com/hashtag/magecart?src=hash
# Reference: https://twitter.com/AmiV2/status/1042988934576271360

neweggstats.com

# Reference: https://otx.alienvault.com/pulse/5c9287b3b67a75234fc56b6b

cdnassels.com
cdnmage.com
cmytuok.top
configsysrc.info
js-cloud.com
magejavascripts.com
magesecuritys.com
magescripts.pw
mcloudjs.com
mypiltow.com
secure.livechatinc.org

# Reference: https://twitter.com/jeromesegura/status/1121134552158621696
# Reference: https://twitter.com/bad_packets/status/1121147936203624448
# Reference: https://otx.alienvault.com/pulse/5cd3ef4f22e204745f6672c3

magento-analytics.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/

cloudmetric-analytics.com
g-analytics.com
ebitbr.com

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/

googletagmanager.eu

# Reference: https://twitter.com/jeromesegura/status/1128387989111853056

jqueryextd.at

# Reference: https://twitter.com/bad_packets/status/1128517905765683201

fontsawesome.gq

# Reference: https://blog.malwarebytes.com/cybercrime/2019/05/skimmer-acts-as-payment-service-provider-via-rogue-iframe/
# Reference: https://otx.alienvault.com/pulse/5ce56f2bc5bbee0a58f7073c

thatispersonal.com
top5value.com
voodoo4tactical.com

# Reference: https://twitter.com/jeromesegura/status/1133160126561394688
# Reference: https://blog.malwarebytes.com/cybercrime/2019/05/skimmer-acts-as-payment-service-provider-via-rogue-iframe/

modest4ever.com

# Reference: https://www.fortinet.com/blog/threat-research/payment-card-details-stolen-magecart.html
# Reference: https://www.virustotal.com/gui/ip-address/178.33.231.184/relations

http://178.33.231.184
adorebeauty.org
all-about-sneakers.org
battery-force.org
blackriverimaging.org
braincdn.org
childsplayclothing.org
citywlnery.org
closetlondon.org
dahlie.org
davidsfootwear.org
dobell.su
elpalaciodehierro.org
etradesupply.org
exrpesso.org
foodandcot.com
freshdepor.com
greatfurnituretradingco.org
jewsondirect.com
kik-vape.org
labbe.biz
lamoodbighats.net
mage-checkout.org
misshaus.org
monocula1caillouet.slickjs.org
nililotan.org
oakandfort.org
ottocap.org
p114343.slickjs.org
pmtonline.su
replacemyremote.org
sagecdn.org
security-payment.su
shop-rnib.org
slickjs.org
swappastore.com
verywellfitnesse.com
walletgear.org

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/

cdn-imgcloud.com
font-assets.com
js-cloudhost.com
wix-cloud.com
ww1-filecloud.com

# Reference: https://twitter.com/rommeljoven17/status/1144786273741107200
# Reference: https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html
# Reference: https://otx.alienvault.com/pulse/5d1a08ac3f9760423c70c999

tracker-visitors.com
jquery-web.com
jquery-stats.com
jsreload.pw
routingzen.com

# Reference: https://twitter.com/eComscan/status/1147077036692922368

http://89.32.251.136

# Reference: https://www.zscaler.com/blogs/research/magecart-activity-and-campaign-enhancements
# Reference: https://www.virustotal.com/gui/domain/dnsden.biz/relations

http://93.187.129.249/gate.php
developer-js.info/gate.php
dnsden.biz
jquery-bin.com/gate.php
jsreload.pw
jqueryextd.at
routingzen.com
saterday-race.com/gate.php
/errors/default/gate.php

# Reference: https://twitter.com/killamjr/status/1151142181643702277

ccprocess.review

# Reference: https://twitter.com/eComscan/status/1152153363892637696

magesource.su

# Reference: https://twitter.com/AffableKraut/status/1154641710653300737

googleping.com
googlepíng.com
xn--googlepng-m5a.com

# Reference: https://blog.sucuri.net/2019/07/fake-google-domains-used-in-evasive-magento-skimmer.html
# Reference: https://twitter.com/daphiel/status/1156314169492279299

invoiceservice.info
lnfo.cc
google-analytîcs.com
xn--google-analytcs-xpb.com
google.ssl.lnfo.cc

# Reference: https://twitter.com/killamjr/status/1154393722777460737

googlc-analytics.cm

# Reference: https://twitter.com/jeromesegura/status/1158473869029601280

mageento.com
onlineclouds.cloud

# Reference: https://twitter.com/rommeljoven17/status/1158657062403883008

api-googles.com
facebookfollow.com
gstatlcs.com
qpstasis.com

# Reference: https://twitter.com/rommeljoven17/status/1169124706567544832

jquerycodemagento.com

# Reference: https://twitter.com/killamjr/status/1171399767240273920

trafficanalyzer.biz

# Reference: https://twitter.com/MBThreatIntel/status/1171817639728934912

magentoconnectors.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/
# Reference: https://otx.alienvault.com/pulse/5d821c4c16cca4b63f931226

googletrackmanager.com

# Reference: https://twitter.com/shotgunner101/status/1174759248703741952

bluemarineholding.com/wp-includes/locales.php

# Reference: https://www.riskiq.com/blog/labs/magecart-reused-domains/
# Reference: https://otx.alienvault.com/pulse/5d836d20a4a3d90861e796e2

cdnanalytics.net
cdnapis.com
contextjs.info
magelib.com
magento-order.com
nexcesscdh.net
ossmaxcdn.com

# Reference: https://twitter.com/shotgunner101/status/1175181663464230913

google-analyitics.org

# Reference: https://www.ibm.com/downloads/cas/O3W1LZAZ

cnzz.space
cnzz.work
jsboxcontents.com
ms-akadns.com
sdsyxwx.com
survey-microsoft.net
/runforestrun?sid=botnet

# Reference: https://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/
# Reference: https://otx.alienvault.com/pulse/5d9cf3671d2973bf30d2753f

cdn-volusion.com
volusion-cdn.com

# Reference: https://twitter.com/killamjr/status/1182045635593289728

clouding.live
piratefashions.com

# Reference: https://twitter.com/killamjr/status/1182050912224849920

jsblom.com

# Reference: https://twitter.com/xiatianguo/status/1183405035192872961
# Reference: https://twitter.com/FullM3talPacket/status/1182404667755520000
# Reference: https://pastebin.com/kqMV9vCX

bks0.com
cssjs.co
jscss.co
jspri.co
pen4.co
j2.is

# Reference: https://twitter.com/MBThreatIntel/status/1184531791102857216

assetstorage.net
fileskeeper.org

# Reference: https://twitter.com/killamjr/status/1185376383180136448

mgstrs.com

# Reference: https://www.group-ib.com/blog/coffemokko

3lift.org
abtasty.net
adaptivecss.org
adorebeauty.org
all-about-sneakers.org
ar500arnor.com
authorizecdn.com
bannerbuzz.info
battery-force.org
batterynart.com
blackriverimaging.org
braincdn.org
btosports.net
chicksaddlery.net
childsplayclothing.org
christohperward.org
citywlnery.org
closetlondon.org
coffemokko.com
coffetea.org
dahlie.org
davidsfootwear.org
dobell.su
elegrina.com
energycoffe.org
energytea.org
etradesupply.org
exrpesso.org
foodandcot.com
freshchat.info
freshdepor.com
greatfurnituretradingco.org
info-js.link
jewsondirect.com
kandypens.net
kik-vape.org
labbe.biz
lamoodbighats.net
link-js.link
londontea.net
mage-checkout.org
majsurplus.com
map-js.link
mechat.info
misshaus.org
mylrendyphone.com
nililotan.org
oakandfort.org
ottocap.org
parks.su
paypaypay.org
pmtonline.su
replacemyremote.org
sagecdn.org
security-payment.su
shop-rnib.org
slickjs.org
slickmin.com
smart-js.link
swappastore.com
teacoffe.net
top5value.com
track-js.link
ukcoffe.com
verywellfitnesse.com
walletgear.org
zapaljs.com
zoplm.com

# Reference: https://twitter.com/AffableKraut/status/1185070871691616256

fb-seo.net

# Reference: https://twitter.com/unmaskparasites/status/1185171035693441024

magento-community.org

# Reference: https://twitter.com/unmaskparasites/status/1185172904276836352

fb-content.dev

# Reference: https://twitter.com/unmaskparasites/status/1185256035633811463

magento-security.dev

# Reference: https://twitter.com/eComscan/status/1185170381331714048

fb-pixel.com
magento-protection.com

# Reference: https://twitter.com/killamjr/status/1182335468425416705

xciy.net

# Reference: https://twitter.com/killamjr/status/1182095269418024960

google-taq.com

# Reference: https://twitter.com/AffableKraut/status/1172052860378521600

magicsaphe.com
questappo.com
rqstpp.com
yongffice.com

# Reference: https://twitter.com/Totocellux/status/1165223332633022468
# Reference: https://blog.malwarebytes.com/threat-analysis/2019/08/magecart-criminals-caught-stealing-poker-face/

ajaxclick.com
www-trust.com

# Reference: https://twitter.com/AffableKraut/status/1159677725994622976

mage.biz.ua

# Reference: https://twitter.com/AdAstra247/status/1159111119488860160

scripts-analytics.com

# Reference: https://twitter.com/zombisoft/status/1152333754670755841

installw.com

# Reference: https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/

cdn-c.com

# Reference: https://twitter.com/unmaskparasites/status/1184571273583706112

cdn-clouds.com

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain:-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/ (# Magecart Group 5 domains)

informaer.biz
informaer.cc
informaer.com
informaer.net
informaer.org
informaer.pw
informaer.ws
informaer.xyz
informaer.info

# Reference: https://twitter.com/gwillem/status/1187667658642206720

hsadspixel.com

# Reference: https://twitter.com/RapidSpike/status/1189882327557648386

/js/mage/adminhtml/product/composite/validate.php
