At last I thought, finally I have something to share which will put my blog to good use!
Out of the 25 domains names, 6 were already listed in the list of burner domains. Which you can find here at the magento-malware-scanner
In addition, you will find the list of other domain names embedded below this post or at my gist
Most of the domain names are defined in a way that will most likely trick an developer into believing that it is legitimate, for example:
The domains I found could be split into two main categories, each with their own characteristics.
Malware seeding domains
E.g. somebrandshop.js (burner-domain.com/ext/somebrandshop.js)
Data collecting domains
The data collecting domains are a shot in the dark, but there are sufficient reasons to believe they are collecting the data. All the collecting domains have a script at “/checkPayments.php” which returns a status 200 error code while other pages return a Nginx notice.
Using reverse WHOIS to find more of them
Finding these domains was straightforward because they all were registered by the same and most likely fake alias. By using reverse WHOIS, you’ll get a list with all the registered domains under this alias. These domains have all been registered in the past couple of months or were defined in ways as described before and either matched the characteristics as a seeder, or as a collector.
The most difficult part was finding a free reverse WHOIS service as they usually require you to pay somewhere between 25 to 100 dollars for a full report. I found my free report at Whoxy, which I can recommend. When you come across another burner domain; then I suggest you use a reverse WHOIS service like this one to find more and add them to the magento-malware-scanner.
Corrections by J. Landbrug