External Threat Management Labs

Inter: The Magecart Skimming Tool Now on More than 1,500 Sites

Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes

However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common and widely used digital skimming solutions globally. It has been involved in some of the most high-profile magecart attacks to date, most notably Group 8's breach of the Nutribullet website

RiskIQ has identified more than 1,500 sites compromised by the Inter skimmer, but the data theft tool is still misunderstood by those tasked with defending their organization against it. To demystify Inter, RiskIQ tapped our unmatched body of research into Magecart and its dozens of groups, open-source intelligence (OSINT), and our global internet telemetry. 

The resulting report, which you can access in our Threat Intelligence Portal, shows how Inter has evolved over the years, those responsible for its proliferation and development, and what may be next for the world's leading skimmer. 

Below are a few highlights from the report that will help you get to know Inter, the tool e-commerce shops must keep at bay to keep their customers safe. 

Inter has contributed to a low bar for entry into skimming.

Part of what makes Magecart attacks so common is they've become relatively easy to execute. There are entire economies built on the trade of skimmers, compromised sites, and stolen data. The Inter Skimmer kit is a hot item on this market and comes prepackaged and ready-made to skim so that even cybercriminals with little technical expertise (but a little cash to burn) can use it. The Inter Skimmer even comes with a dashboard to generate and deploy skimming code and back-end storage for skimmed payment data. 

'poter' is actually 'Sochi.’

A recent report by cybersecurity company Recorded Future surveyed a wide swath of skimming activity and profiled three different actors who developed and sold popular JavaScript skimmers. Using RiskIQ's historical data to connect behaviors and infrastructure, our researchers showed that two of the actors they discuss as separate entities are, in fact, the same. 

The actor behind Inter has used several aliases over the years but is best known in the skimming world as 'Sochi.' However, when the actor first surfaced in 2014, they went by "poter." In 2016, poter developed the SniFall skimmer and began selling it on an underground internet forum. In late 2018, the actor created a new skimmer they dubbed Inter and started advertising it on forums under a new alias, Sochi. 

Using RiskIQ data and OSINT, our researchers directly connected the infrastructure used to develop and test both skimmers to the same actor. According to Recorded Future's report, poter stopped advertising the SniFall skimmer, which they refer to as "Universal Sniffer," on January 10, 2019. 

The report states that it's unclear why they stopped advertising. However, our analysis shows that poter deprecated the SniFall skimmer because they had already developed and begun to sell the new Inter skimming kit. 

Skimming developers advertise new models of skimmers, just like legitimate products.

One of the early Inter models, SniFall, was first described by Volexity, which suggested that the skimmer was in use by several different actors due to variations in infrastructure, modes of skimming code injection, URI parameters, and other factors. This variation meant the developer behind the skimming code was likely selling it to other actors. 

These underground sales activities were documented in Inside Magecart, a 2018 report from RiskIQ and Flashpoint. The actor, then going by poter, initially advertised the kit in July of 2016, for a licensing fee of $5,000. The developer noted the features and functions touted in their ad removed duplicate entries among the skimmed data, a feature that became standard in later models of skimmers. 

On December 2, 2016, Sochi posted a new sales pitch in Russian for his latest skimmer (now called Inter), which touted its many improved features and functions. They also updated the payment structure, setting the new skimmer's licensing price at $1,300. However, this time, they included an option for a 30/70 profit-sharing arrangement instead of the fee. This drop in price and more flexible stance on payment options likely indicated increased product popularity. 

Skimming developers practice R&D like legitimate products, too. 

The early SnifFall kit included a web UI that may have been akin to the latest Tesla model to cybercriminals involved in web skimming. It allowed for customization of various settings to generate skimming code, such as custom regular expressions for various fields from which to steal data, including password fields. After filling out these settings, the skimming code auto-generated with a single click, and the actors were off to the races. 

Despite these bells and whistles, this skimmer was still simplistic by today's standards, and its development was just getting started. In RiskIQ's crawl data, you can see thorough testing in the form of small variations, rearrangements of functions, and different approaches to the obfuscation of the skimmer since 2017 and early 2018. Other early versions of the Inter Skimmer also appear to have been used for R & D purposes, implementing several variations, mainly in the realm of obfuscation and encryption of the skimming code to avoid detection. 

Today, the Inter Skimming Kit is wildly efficient and more difficult to detect due to this continuous improvement. Modern Inter skimmers can even integrate an obfuscation service if the actor has access to an API key to access a far wider variety of obfuscation techniques. Other new features include creating fake payment forms on sites that use payment service providers, such as PayPal, and quick, automatic checks of new exfiltrated data against previously skimmed data via MD5 and cookie information to identify and remove duplicates. 

The more skimming changes, the more it stays the same. 

Despite all its continuous improvement, much of today's Inter skimmer's functionality is similar to its predecessor. Both new and old versions of the skimmer look for onchange events related to form fields tagged at "input," "select," or "textarea," and record the element values at regular intervals. They convert those values to JSON formatting, and base64 encodes them along with the victim site hostname. Next comes exfiltrating the data by creating an image element with the exfiltration URL set as the source and the stolen, base64 encoded payment data appended to the URL.

It doesn't stop at skimming.

Cybercrime is a massive ecosystem, and threat groups often partake in many different flavors of attacks. Sochi is also involved in various malicious activities beyond their prolific digital skimmer, including malware development and financial fraud. Investigating infrastructure related to the Inter skimmer, our researchers uncovered connections to ransomware, fast flux DNS services, and suspicious domains potentially used for phishing or malware command and control activity. Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi. Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.

Fight Inter with Threat Intelligence

The Inter skimmer kit is one of the most prolific and impactful parts of the Magecart ecosystem we have seen recently. It has been used by several different actors to steal payment data since late 2018, affecting thousands of sites. The actor behind it, Sochi, aka poter, has been active in skimming since at least 2016 and appears to have been involved in other cybercrime spaces since 2014. Using RiskIQ data coupled with OSINT intelligence, we can map out the timeline of Sochi's activities and the development of their digital skimmer kits, SniFall, and Inter. 

To see read the full report, including a complete list of IoCs related to Inter and the threat investigations that link it all together, visit the Threat Intelligence Portal in RiskIQ PassiveTotal. You can unlock an entire month of Enterprise access by signing up with a corporate email address. 

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor