![[5-Yrs Free Data Recovery] GIGASTONE 256GB SD Card, 4K Camera Pro, A1 V30 SDXC Memory…](https://techcratic.com/wp-content/uploads/2025/09/51F2IcqgHrL._AC_SL1000_-360x180.jpg)
Mayura Kathir
2025-09-17 08:26:00
gbhackers.com
A new Magecart-style campaign has emerged that leverages malicious JavaScript injections to skim payment data from online checkout forms.
The threat surfaced after security researcher sdcyberresearch posted a cryptic tweet hinting at an active campaign hosted on cc-analytics[.]com.
Subsequent analysis revealed a heavily obfuscated script that hooks into checkout fields, collects credit card and billing information, and exfiltrates stolen data to an attacker-controlled domain.
At its core, the code defines an _0x1B3A1 function that decodes hex-encoded strings via repeated regex replaces and a custom base conversion routine, before immediately evaluating them with eval().
Analysts quickly unraveled the obfuscation by prepending debugger; in browser developer tools and by printing the original payload string in Python. Automated deobfuscation services like Obf-IO further simplified the process, revealing clear JavaScript logic.
After cleanup, the script consists of two main components: a data collection function that listens for changes on payment form elements (checkout__input) and clicks on credit-card selection buttons, and a data exfiltration function named sendStolenData().
When a user enters a card number longer than 14 digits, the skimmer packages the cardNumber and billingInfo fields into a FormData object and sends them via POST to https://www.pstatics.com/i.
This simple yet effective approach mirrors classic Magecart tactics, but the injection mechanism and domain naming patterns have evolved.
Infrastructure and Pivoting
Pivoting from the initial cc-analytics[.]com domain revealed a broader infrastructure footprint. URLScan.io searches for cc-analytics.com uncovered dozens of compromised e-commerce sites containing references, confirming widespread deployment.
Network logs identified the hosting IP address 45.61.136.141, whose WHOIS record ties back to a bulletproof hosting provider.
Further passive DNS and URLScan pivots exposed additional domains serving nearly identical payloads: jgetjs.com, getnjs.com, getvjs.com, getejs.com, and utilanalytics.com.
The shared IP and similar directory structures suggest a single threat actor re-using naming conventions (“get*js” and “*analytics”) across multiple campaigns.
A comprehensive list of associated domains also includes cc-analytis.com (typo variant), youtuber-dashboardwme.pro, secfw03secur.com, and even subdomains of 45-61-136-141.cprapid.com.
These domains have been active for at least a year, indicating a long-running infrastructure that periodically rotates domains to evade takedown efforts.
Implications and Detection
This campaign underscores the enduring threat posed by Magecart skimmers: small, public signals—like a single tweet—can reveal large, covert networks of malicious scripts.
Security teams should monitor web pages for unauthorized tags referencing suspicious domains, especially those matching patterns such as “analytics.com” or “getjs.com.” Tools like URLScan, publicWWW, and passive DNS lookups are invaluable for threat hunting and domain attribution.
Detection strategies include implementing Content Security Policy (CSP) rules that restrict script sources to known, vetted domains; deploying runtime application self-protection (RASP) to block unauthorized DOM modifications; and scanning web assets periodically for unexpected external script inclusions.
Integrating threat intelligence feeds that list these related domains can automate alerts when new compromised sites appear.
Organizations should not simply block all identified domains—false positives can disrupt business continuity—but should validate domain reputation and script behavior before enforcement.
Regular reviews of web server logs and client-side error reports can catch late-stage exfiltration attempts. Finally, engaging in information sharing via security communities ensures that new infrastructure discoveries propagate quickly, reducing the window of exposure.
This investigation illustrates that proactive threat hunting, combined with accessible tools and public signals, can map attacker infrastructure before significant customer loss. Security teams armed with these insights can strengthen defenses and disrupt Magecart-style campaigns at scale.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon's Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future - Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
|
BITCOIN
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
|
DOGECOIN
D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
|
ETHEREUM
0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.
