Linkedin Tag

Back to blog

New 3rd party JS script attack found: Artifyau[.]com and Quantifymy[.]com

Monday, November 4th, 2024

Updated December 13th, 2024

H

Himanshu Anand

This week, we deployed a specialized crawler for research purposes. Within just 24 hours, it successfully identified new Magecart attack patterns. Magecart is a sophisticated, financially motivated threat that injects malicious JavaScript to steal personal payment information. Here's a list of the biggest Magecart attacks thus far.

Initial Detection: Obfuscated JavaScript on Artifyau[.]com

Detected URL: https://artifyau[.]com/T1M0dVluVnBiR1J6YVhSbGNISnZMbU52YlE9PQ/jqwery.js.

The URL mimics a legitimate JavaScript file, potentially resembling jQuery, but a quick look reveals a misspelling ("jqwery" instead of "jquery") - a common tactic to mask attacks. On inspection, the file contained highly obfuscated JavaScript, likely crafted to evade detection. Here’s a snapshot of the code structure:

And here deobfuscated and normalized:

This type of obfuscation is common in Magecart scripts which aim to steal credit card information by injecting rogue code into the checkout pages of compromised sites.

The Suspicious Domain: A Closer Look

A quick lookup revealed that artifyau[.]com was registered on October 15, 2024, and is set to expire in a year. Here’s the basic metadata we gathered:

The domain was cloaked behind Cloudflare, and a quick search showed it was up for sale - an odd things for a site supposedly hosting legitimate scripts.

From URL scan we found multiple websites were infected: https://urlscan.io/search/#artifyau.com

Analysis of the HTML Page and Secondary Domain

The injected script tag:

This then loads a polyglot document. In a security context, polyglots, are files that are a valid form of multiple different file types. In this case, valid as HTML as well as JavaScript, both at the same time:

This is commented out HTML code where the malicious JS is at the bottom of the commented out HTML file, likely to evade detection:

If someone visits this website directly from the browser, this will render the below page:

If this is injected in the website, this will be loaded as JavaScript. This then loads the final stage of malicious JavaScript, which in turn loads the jqwery.js file. Decoded, it looks like this:

It reveals multiple anti-debugging tricks and timeout code, just like other known Magecart JS files. Including:

  • setTimeout(_0x3481cd, 1000);

This then used to steal the PII and credit card info of the people visiting these sites. 

On detailed analysis we found the new domain used by the threat actor quantifymy[.]com.

Both these domains are behind Cloudflare to hide their original IP.

We found another list of websites infected through this URL: https://urlscan.io/search/#quantifymy.com

Only the domain is different, all the other TTPs remains the same as described above.

Protect your site

At the time of pusblishing this, only one threat feed vendor reported these domains as malicious VirusTotal:

Our proxy checks each 3rd party script being fetched by the browser. In our testing, it successfully caught and blocked these domains from rendering the script, protecting the visitor. You can sign up for c/side here.

H

More About Himanshu Anand

I'm a software engineer and security analyst at c/side.