Magecart has launched a new campaign offering a highly customizable payload along with JavaScript loaders and software bundles that can ensure the malicious payload isn't being executed in a debugger or sandbox, according to Fortinet researchers.
“This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19,” the researchers wrote.
“E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form,” the report said.
The campaign reportedly injects a fake card payment form on a targeted web page and skims a victim's entered card information, whether or not the page is a checkout form, enabling the skimmer to be brought into the customer experience earlier, avoiding possible security software intended to catch it on the checkout page. Another feature allows Inter to avoid detection by hiding the stolen information in plain site, according to the report.
“The addition of obfuscation and anti-debugging capabilities to digital skimming toolkits such as Inter renders many of the passive scanners ineffective due to their reliance on finding the malicious payload hidden deep inside the site. In addition, attackers are now targeting specific users and are aware of the scanners that might block them, so attackers may serve a 'clean' script,” said Omri Iluz, CEO and co-founder of PerimeterX.
“A more effective solution is runtime analysis of real users. When analyzing runtime behavior of the site running in real user browsers, obfuscation and anti-debugging techniques are simply avoided, exposing the malicious payload as it’s being executed by the user.”