09 Jul 2021

The New Wave of Digital Card Skimming

Ashli LoppNews  

The COVID-19 pandemic has greatly increased online shopping, making these payment systems a more lucrative target for cyber criminals. Digital skimming attacks are now the greatest threat to online payment systems, largely due to their ability to quickly gather payment details for many customers. This type of attack involves injecting code into a merchant’s site, allowing a malicious actor to harvest payment card details from the site’s checkout page. The injection process has evolved particularly rapidly over the past year, but the latest digital skimmers also have additional features that make them more effective than ever.

The most commonly used skimmers are easy for individual actors to tweak for their specific purposes, allowing this type of malware to adapt quickly to new defenses. The Inter Skimmer kit has been one of the most popular skimming solutions since late 2018, affecting thousands of sites as of mid-2021. Security experts are particularly concerned about MobileInter, a modification of Inter Skimmer that only affects mobile users.

 

MobileInter

Analysts initially reported about a skimmer called Inter in March 2020. Malicious Magecart operators further modified Inter into MobileInter, which was first reported in April 2021. The first version of MobileInter retrieved exfiltration (exfil) URLs that were hidden in images stored in GitHub repositories. However, these URLs are embedded in the code of MobileInter’s latest version, eliminating the need to retrieve them.

Additional new features of MobileInter include the use of WebSocket for data exfiltration. It also injects its code into images stored on compromised websites, making it more difficult for website operators to detect MobileInter. Furthermore, this skimmer employs various methods to hide from Google, including mimicking other domains and abusing Google IP addresses.

 

Mobile Targeting

MobileInter performs multiple checks to ensure if the user it’s skimming transaction data from is using a mobile device. For example, it initially performs a regular expression (regex) check on the location of the browser window to ensure it’s on a checkout page. MobileInter also runs another regex check on userAgent to determine if the user is using a mobile browser. Finally, MobileInter checks the dimensions of the browser window to ensure its size is appropriate for a mobile device.

 

Disguises

MobileInter then uses various functions to skim and exfiltrate data, provided the device and browser window passes all of its checks. These functions are disguised in various ways to avoid detection, such as having the names of legitimate services. For example, jQuery is a JavaScript library with a plugin called jRumble because it “rumbles” webpage elements. One of MobileInter’s functions is called rumbleSpeed, but it actually determines how often MobileInter attempts to exfiltrate data.

Analysts have observed many malicious actors disguising their domains as legitimate Magecart services over the past year. MobileInter has an extensive list of domains, many of which mimic well-known companies like Alibaba and Amazon. Currently, the bulk of MobileInter’s domain and hosting activity seems focused on disguising itself as Google services.

 

Conclusion

The addition of MobileInter to the skimmer landscape makes it crucial for ecommerce businesses to improve their cyber defenses. Mobile-focused skimmers will continue to proliferate as the number of mobile buyers increases.

Leave a Reply

Your email address will not be published. Required fields are marked *