When Magecart attacks first began making the rounds, the attack vector — scripts covertly installed on websites to harvest customer payment card data — was considered to be the signature move of a specific hacking group.
However, credit card-skimming scripts have now been adopted by numerous cyberattackers and the trend has evolved to classify these types of attacks under a broad ‘Magecart’ umbrella involving numerous groups, targets, and countries.
Several years ago, domains belonging to high-profile names including British Airways and Ticketmaster were compromised via Magecart attacks, in which websites containing vulnerabilities were exploited to upload JavaScript code in payment portal pages.
As customers made purchases and input their details, payment card information was quietly harvested and whisked off to a command-and-control (C2) server, to later be sold on or used to make fraudulent purchases.
Now, Magecart-style attacks are far more common and techniques used to deploy card-skimming code are under a constant state of evolution.
See also: Credit card skimmers are now being buried in image file metadata on e-commerce websites
JavaScript code is either hosted directly on a compromised website or referenced and hosted on an attacker-controlled server. Malwarebytes has previously found Magecart code buried in image EXIF metadata, and in August, these image-related techniques evolved further to combine the Inter information collection framework, .ICO files, and so-called “homoglyph” attacks.
.ICO image requests on websites may now be changed to call up fraudulent .ICO images containing skimmer code, hosted on domains similar to legitimate domains but containing small spelling errors or differences to avoid detection.
The issue with Magecart-style attacks is the relatively “low bar” to entry set by Inter for cybercriminals seeking to cash in on our cards, RiskIQ says.
The Inter kit, which includes sniffers, data extraction tools, different injection modes, and scripts compatible with multiple e-commerce CMS varieties has been tracked by cybersecurity researchers for a number of years. An earlier build of the toolkit, as described by Volexity in 2018, was named JS Sniffer/SniFall and was used against the Magento e-commerce platform.
Further RiskIQ and Flashpoint research suggested that Inter first landed on underground forums in 2016 with a price tag of $5,000, but now, it appears that modern versions of Inter are on offer for $1,300 per license. This has now reduced to as little as $1,000 and a 30/70 revenue split option to entice even more attackers to the fold.
CNET: Appeals court finds NSA’s bulk phone data collection was unlawful
In March, PerimeterX said Magecart-related groups had grown from a “handful to a few hundred,” likely due to the discounted licensing cost and Inter’s all-in-one criminal solution, which requires little technical knowledge to deploy.
Inter, PerimeterX says, is well on its way to becoming a “Skimming-as-a-Service” option in underground forums. RiskIQ has carried on this research and says that over 1,500 websites at present are infected with the skimmer, with the kit becoming “one of today’s most common and widely used digital skimming solutions globally.”
“The Inter skimmer kit is a hot item on this market and comes prepackaged and ready-made to skim so that even cybercriminals with little technical expertise (but a little cash to burn) can use it,” the team says.
TechRepublic: Organizations facing nearly 1,200 phishing attacks each month
RiskIQ says the actor behind the kit, known by aliases including porter and Sochi, has made a number of recent improvements including the option to bolt-on additional obfuscation services; the ability to create fake payment forms using legitimate names such as PayPal; and automatic checks of stolen information to remove duplication.
Inter has now also been connected to a variety of other cybercriminal campaigns, including ransomware deployment, Darkcloud and SandiFlux fast flux DNS services — DNS techniques used to maintain botnets — and domains likely connected to phishing and spam campaigns.
“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” the researchers added. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0