Malwarebytes researchers discovered that the novel Magecart skimmer domain identified by Sansec, as well as a suspected host determined by another security researcher, were tied to a more widespread campaign, which was related to another campaign last year that involved a skimmer with virtual machine detection capabilities. However, the skimmer was found to have the VM code removed.
"If the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight. This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it. For now, we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don't make them more robust," said Malwarebytes researcher Jérôme Segura.