Inter: a ‘low bar’ kit for Magecart credit card skimmer attacks on e-commerce websites
When Magecart attacks first began making the rounds, the attack vector — scripts covertly installed on websites to harvest customer payment card data — was considered to be the signature move of a specific hacking group.
However, credit card-skimming scripts have now been adopted by numerous cyberattackers and the trend has evolved to classify these types of attacks under a broad ‘Magecart’ umbrella involving numerous groups, targets, and countries.
As customers made purchases and input their details, payment card information was quietly harvested and whisked off to a command-and-control (C2) server, to later be sold on or used to make fraudulent purchases.
Now, Magecart-style attacks are far more common and techniques used to deploy card-skimming code are under a constant state of evolution.
.ICO image requests on websites may now be changed to call up fraudulent .ICO images containing skimmer code, hosted on domains similar to legitimate domains but containing small spelling errors or differences to avoid detection.
The issue with Magecart-style attacks is the relatively “low bar” to entry set by Inter for cybercriminals seeking to cash in on our cards, RiskIQ says.
The Inter kit, which includes sniffers, data extraction tools, different injection modes, and scripts compatible with multiple e-commerce CMS varieties has been tracked by cybersecurity researchers for a number of years. An earlier build of the toolkit, as described by Volexity in 2018, was named JS Sniffer/SniFall and was used against the Magento e-commerce platform.
Further RiskIQ and Flashpoint research suggested that Inter first landed on underground forums in 2016 with a price tag of $5,000, but now, it appears that modern versions of Inter are on offer for $1,300 per license. This has now reduced to as little as $1,000 and a 30/70 revenue split option to entice even more attackers to the fold.
In March, PerimeterX said Magecart-related groups had grown from a “handful to a few hundred,” likely due to the discounted licensing cost and Inter’s all-in-one criminal solution, which requires little technical knowledge to deploy.
Inter, PerimeterX says, is well on its way to becoming a “Skimming-as-a-Service” option in underground forums. RiskIQ has carried on this research and says that over 1,500 websites at present are infected with the skimmer, with the kit becoming “one of today’s most common and widely used digital skimming solutions globally.”
“The Inter skimmer kit is a hot item on this market and comes prepackaged and ready-made to skim so that even cybercriminals with little technical expertise (but a little cash to burn) can use it,” the team says.
RiskIQ says the actor behind the kit, known by aliases including porter and Sochi, has made a number of recent improvements including the option to bolt-on additional obfuscation services; the ability to create fake payment forms using legitimate names such as PayPal; and automatic checks of stolen information to remove duplication.
Inter has now also been connected to a variety of other cybercriminal campaigns, including ransomware deployment, Darkcloud and SandiFlux fast flux DNS services — DNS techniques used to maintain botnets — and domains likely connected to phishing and spam campaigns.
“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” the researchers added. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0