{ "type": "Domain", "indicator": "getvjs.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/getvjs.com", "alexa": "http://www.alexa.com/siteinfo/getvjs.com", "indicator": "getvjs.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3652209348, "indicator": "getvjs.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "68cd3e87c34598454648d266", "name": "Magecart Skimmer Analysis: From One Tweet to a Campaign.", "description": "Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.\n\nKey to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with \"debugger;\" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \\x representations, thereby simplifying the extraction of relevant content.", "modified": "2025-10-19T11:00:08.739000", "created": "2025-09-19T11:29:11.054000", "tags": [ "urlscan", "point", "debugger", "python trick", "python", "collect credit", "process my", "dom reference", "ip address", "magecart" ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [ { "id": "Magecart", "display_name": "Magecart", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [ "Ecommerce" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 15, "hostname": 27 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Magecart" ], "malware_families": [ "Magecart" ], "industries": [ "Ecommerce" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "68cd3e87c34598454648d266", "name": "Magecart Skimmer Analysis: From One Tweet to a Campaign.", "description": "Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.\n\nKey to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with \"debugger;\" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \\x representations, thereby simplifying the extraction of relevant content.", "modified": "2025-10-19T11:00:08.739000", "created": "2025-09-19T11:29:11.054000", "tags": [ "urlscan", "point", "debugger", "python trick", "python", "collect credit", "process my", "dom reference", "ip address", "magecart" ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [ { "id": "Magecart", "display_name": "Magecart", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [ "Ecommerce" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 15, "hostname": 27 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "getvjs.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "getvjs.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223465.2500732 }