Upon closer examination, last week's traffic followed specific URL patterns. Shown above: Traffic I found on Friday, this time with IP addresses. Shown above: Flow chart for last week's infection chains. I've represented the traffic in a flow chart:
MALWAREBYTES BLOGS FULL
The example I can share doesn't have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry. The examples I've seen were similar, so let's review the traffic. The Malwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains. Sucuri's blog has information concerning the compromised Magento servers, while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK. I've seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week. These compromised sites kicked off infection chains for Neutrino exploit kit (EK). Earlier this week, various blogs began reporting about compromised Magento-based e-commerce websites.