According to a new report from RiskIQ, the Inter Skimmer kit is one of the most common digital skimming solutions worldwide. Several different groups of cybercriminals have used the Inter kit since late 2018 to steal payment data and it affects thousands of sites and consumers worldwide.
In March of last year, a new modified version of Inter appeared online. However, Magecart operators have altered it even more to create MobileInter which focuses solely on mobile users and targets both their login credentials and payment data.
While the first iteration of MobileInter downloaded exfiltration URLs hidden in images from GitHub repositories, the new version contains the exfiltration URLs within the skimmer code itself and uses WebSockets for data exfiltration. MobileInter also abuses Google tracking services and domains that mimic the search giant to disguise itself and its infrastructure.
Since MobileInter solely targets mobile users, the redesigned skimmer performs a variety of checks to ensure it is skimming a transaction made on a mobile device.
The skimmer first performs a regex check against the window location to determine if it is on a checkout page but this kind of check can also find out if a user’s userAgent is set to one of several mobile browsers. MobileInter also checks the dimensions of a browser window to see if they are a size associated with a mobile browser.
After these checks have passed, the skimmer executes its data skimming and exfiltration using several other functions. Some of these functions are given names that could be mistaken for legitimate services in order to avoid detection. For example, a function called ‘rumbleSpeed’ is used to determine how often data exfiltration is attempted though it is meant to blend in with the jRumble plugin for jQuery, which “rumbles” elements of a webpage to make a user focus on them.
RiskIQ has also identified MobileInter disguising its operations in other ways. Since the firm began tracking Magecart, it has observed threat actors disguising their domains as legitimate services. While RiskIQ’s list of domains related to MobileInter is extensive, many mimic Alibaba, Amazon and jQuery.
Although credit card skimmers first appeared in the real world at gas stations and other places where users would swipe to pay, they soon found their way online and have now established a foothold on mobile.