Magecart operators have tweaked a popular credit card skimmer to target only mobile users, as consumers do more of their online shopping from their smartphones than from their computers. According to a new report from RiskIQ, the Inter Skimmer Kit is one of the most common digital skimming solutions in the world. Various cybercriminal groups have been using the Inter Kit since late 2018 to steal payment details, affecting thousands of sites and consumers around the world. In March last year, a new edited version of Inter appeared online. However, Magecart operators further modified it to create MobileInter, which focuses only on mobile users and targets both their login credentials and payment details. While the first iteration of MobileInter downloaded the exfiltration URLs hidden in images from GitHub repositories, the new version contains the exfiltration URLs in the skimmer code and uses WebSockets for data exfiltration. MobileInter is also abusing Google's domain and tracking services that mimic the search giant to disguise itself and its infrastructure.
MobileInter
Since MobileInter only targets mobile users, the redesigned skimmer performs a variety of checks to ensure that it will scan a transaction made on a mobile device. The skimmer first performs a regex check against the window location to determine if it is on a checkout page, but this type of check can also find out if a user's userAgent is set to one. Mobile browsers. MobileInter also checks the dimensions of a browser window to see if it is a size associated with a mobile browser. After these checks, the skimmer performs its skimming and data exfiltration using various other functions. Some of these features are given names that could be mistaken for legitimate services to avoid detection. For example, a function called 'rumbleSpeed' is used to determine how often a data exfiltration is attempted, although it is supposed to be combined with the jRumble plugin for jQuery, which 'rumbles' elements on a web page. So that the user can focus on them. RiskIQ has also identified MobileInter disguising its operations in another way. Ever since the company began tracking Magecart, it has observed threat actors disguising its domains as legitimate services. While RiskIQ's list of MobileInter-related domains is long, many emulate Alibaba, Amazon, and jQuery. Although credit card skimmers first appeared in the real world at gas stations and other places where users swiped to pay, they quickly found their way online and have now gone mobile.