A digital skimming solution has been described as “one of the most prolific and impactful parts of the Magecart ecosystem.”
Reportedly used by several different Magecart actors, research by RiskIQ into the Inter skimmer found it had been used to steal payment data since late 2018, affecting around 1500 sites.
In particular, the Inter Skimmer comes with a dashboard to generate and deploy skimming code and back-end storage for skimmed payment data to enable easier attack deployment. RiskIQ also found connections to ransomware, fast flux DNS services, and suspicious domains potentially used for phishing or malware command and control activity.
Based on a predecessor known as JS Sniffer or SnifFall, which RiskIQ described as “fairly simplistic”, the company said much of the functionality of the Inter skimmer is similar to its predecessor as it copies out all the data entered into forms on the page by looking for fields tagged "input", “select,” or “textarea” before converting extracted payment data to JSON format and base64 encoding it.
RiskIQ said the main variations it has observed between variants of the Inter skimmer is increased use of sophisticated obfuscation, which is a trend among skimmers in general. “The Inter kit includes the ability to integrate an obfuscation service if the actor has access to an API key,” it said.
“Throughout our tracking of this skimmer we continue to see a wide variance in the amount of obfuscation employed. Some implementations use clear skimming code, while others employ encrypted obfuscation to try to hide their activity.”
“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” it said. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”
Sochi is reportedly the actor behind it, and has been active in skimming since at least 2016 and appears to have been involved in other cybercrime spaces since 2014. RiskIQ said this actor is also involved in a wide variety of malicious activity beyond their prolific digital skimmer, including malware development and financial fraud.