To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes.
Several different actors have used the Inter kit to steal payment data since late 2018. It affects thousands of sites and likely thousands of consumers, and RiskIQ continues to see new iterations of Inter in our Internet Intelligence Graph. One of these that should be firmly on the radar of security teams monitoring their organization's web assets is MobileInter, a modified and expanded take on Inter skimmer code that focuses exclusively on mobile users.
With nearly three out of every four dollars spent online done via a mobile device, it's no wonder Magecart operators are looking to target this lucrative landscape. RiskIQ researchers have analyzed this newer model to determine its functionality, prevalence, and links to other skimmer activity.
MobileInter: What's New?
A new modified version of Inter—the precursor to MobileInter—was first reported in March 2020. Since then, Magecart operators have altered it even more. MobileInter, first reported in April 2021, focuses solely on mobile users and targets login credentials and payment data.
What else is new?
The first iteration of MobileInter downloaded exfil URLs hidden in images from GitHub repositories. In contrast, this new MobileInter contains the exfiltration URLs within the skimmer code itself and uses WebSockets for data exfil. Hiding its code by injecting it into images on the compromised websites is yet another new wrinkle added by operators.
MobileInter also disguises itself and its infrastructure, leaning heavily on Google to do so. It hides as Google tracking services, uses domains that mimic Google, and abuses Google IPs.
Mobile Victims Only, Please
Because it's targeting mobile users, MobileInter performs various checks to ensure it's skimming a transaction made on a mobile device.
- First, it performs a regex check against the window location to determine if it is on a checkout page.
- A regex check also determines if the user's userAgent is set to one of several mobile browsers, such as iPhone.
- The skimmer also checks the browser window dimensions to see if they are a size that's expected for a mobile browser.
A Little Disguise Can Go a Long Way
Once these checks pass, the skimmer executes its data skimming and exfil via several other functions. Some of these are given names that could be mistaken for legitimate services to avoid detection. For example, ‘rumbleSpeed,’ a function that determines how often the data exfil function is attempted, is meant to blend in with the jRumble plugin for jQuery, which "rumbles" elements of a webpage to pull user focus.
MobileInter also disguises its operations in other ways.
Since we began tracking Magecart, we’ve seen actors disguise their domains as legitimate services. The list of domains related to MobileInter is extensive and includes some that mimic Alibaba, Amazon, and jQuery (see the full list of IOCs in the Threat Intelligence Portal). However, the domains and hosting connected MobileInter’s most recent activity focus mainly on passing as Google services. Both exfil URLs used by the skimmer mimic Google, with the WebSocket URL masquerading as Google Tag Manager.
Infrastructure overlap with domains related to other card-skimming groups are common in the Magecart ecosystem, and MobileInter is no different. MobileInter is part of a broader skimming infrastructure with a pattern of shared infrastructure and bulletproof hosting that services multiple other skimmers and malware. We’ve previously documented this pattern in articles on The Inter Skimmer, The Grelos Skimmer, and bulletproof hosting related to skimming.
For example, one of MobileInter's exfil domains has appeared on six different IP addresses since January 2021, usually only staying on any one IP for about two weeks. Most of these IP addresses belong to Alibaba and are part of a larger pattern of Alibaba hosting servicing multiple skimmers and other threat infrastructure. RiskIQ has observed hundreds of skimming-related domains on rotating Alibaba IPs in recent years.
Illuminate Magecart Across Your Attack Surface
RiskIQ's Internet Intelligence Graph gathers internet-wide telemetry that enables us to view websites as Magecart actors do—a unique perspective that provides unmatched visibility into this prevalent threat, whose skimmers have appeared millions of times on hundreds of thousands of hosts. MobileInter is just the latest iteration of this popular skimming tool, and having insight into how skimmers evolve is key to helping organizations protect their attack surface.
To read our full report, including a complete list of IoCs related to MobileInter and the threat investigations that link it all together, visit the Threat Intelligence Portal in RiskIQ PassiveTotal. You can unlock an entire month of Enterprise access by signing up with a corporate email address.