Inter: Skimmer For All

A FortiGuard Labs Threat Analysis Report
 

Using web skimmers to steal payment card details has become a good business for cybercriminals. In fact, just last month, FortiGuard Labs discovered a campaign that has stolen the data from over 185,000 payment cards in a one year operation.

MageCart, the collective name given to the groups responsible for injecting JavaScript skimmers on compromised websites, continues to target online stores, reportedly compromising over 50,000 websites in 2018. This predicament represents a serious threat to both businesses and consumers.

FortiGuard Labs recently uncovered yet another campaign using similar tactics, but with a few differences that set them apart from other subgroups. This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs, and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19, and in this report we’ll be looking at the techniques used by this new campaign, as well as provide a glimpse into how their operation works.

The Skimmer

Our investigation began when we found a malicious JavaScript connecting to tracker-visitors[.]com, where it was disguised as a visitor traffic tracker for a website. Further analysis on the domain led us to the discovery of several open directories, which then led us to more customized skimmer scripts used by the campaign. And as of June 20th, new skimmer scripts were still being uploaded.

Figure 1: Open Directories At tracker-visitors[.]com

Since beginning our investigation, we have identified over 70 skimmer scripts and 11 open directories, but there could possibly be more hidden directories that we have not yet uncovered. As expected, the file names of the malicious JavaScript attempt to imitate commonly used script utilities, as well as names directly related to the compromised website targets. Based on functionalities, the scripts found from the open directories can be categorized to the following types:

  • Loader
  • Web skimmer
  • Fake payment form

Loader

The loader scripts’ function is to load the skimmer hosted on one of the campaign’s C2s. Figure 2 shows a code snippet of one of the loaders, googletagver.js. Before loading the skimmer, it uses an open-source tool called devtools-detect to determine if the script is being executed using a debugger, in which case it will not proceed with loading the skimmer. 

Figure 2: Loader Script

Web Skimmer and Fake Payment Form

E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally, while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form.

They use web skimmers for internally managed payments so the attackers can access and intercept entered credit card details from forms that are already on the website. In the case of websites that use PSPs, since the attackers do not have access to the information provided by the customers after they have been redirected to an external payment service, they have to get the information before that happens. They accomplish this by tricking users into filling in their card details on fake forms before the redirection.

The following samples are used in our analysis:

vmartgo.js – web skimmer
cap.js  – fake payment form

The skimmers initially check to determine if the site has finished loaded by calling document.readyState before continuing to the main routine. The skimmers then execute every half a second.

Figure 3: Main Function

After the initial check, Inter retrieves stored cookies named $s and $sent that contain records of previously encoded stolen payment information. This information is used later in the attack.

Figure 4: GetFromStorage Function

As can be seen below, the web skimmers call the functions SaveAllFields() to get the general information of the victim, and GetCCInfo() to specifically capture credit card details. As previously mentioned, for those websites that use PSPs, a fake form can be inserted, hence the addition of the AddForm() function.

Figure 5: TrySend Function

The scripts that inject these forms are customized specifically to the payment page of the compromised websites, knowing where and when to display the fake forms. This means that the threat actors had to identify the layout of each payment page before injection.

Figure 6: Function To Add The Fake Payment Form

As shown below, the fake payment form is only added when the “Pay by credit card” button is clicked. An untrained eye might not see anything suspicious, but by reading carefully, the button is labelled with “VALIDATE AND PROCEED TO PAYMENT.” This clearly means that the customer is not expected to provide any credit card details until the next step.

Figure 7: Side By Side Screenshot Of Checkout Page With The Fake Form

To extract the right information, skimmers usually check for keywords in the current URL to make sure that the skimmer is running on a checkout or payment page. The Inter skimmer takes a different approach. Regardless of what the page the consumer is on, it extracts all entered information on the current webpage by taking values from form elements with the tags input, select, and textarea. The values are then further filtered to extract the actual credit card details.

Figure 8: SaveAllFields Function

This data is then converted to JSON and encoded with a simple base64 and stored as a cookie in $s. The MD5 hash of the encoded data is then calculated and compared to the entries in the variable $s.Sent, which contains a list/array of MD5 hashes of payment details previously sent to the C2 server. If the hash exists, the data is discarded to avoid sending duplicate data.

It is also worth mentioning that the C2 used for data extraction is also where the malicious JavaScript is hosted.

Figure 9: SendData Function With $sent Showing Previous md5 Hashes

The way this malware sends collected information to its C2 server is also notable. It creates an IMG element and then sets the image source to the C2, with the encoded payment details as a parameter. 

Figure 10: LoadImage Function To Send The Stolen Info To The C2

Shown below is the traffic once the created IMG element connects to its image source. It disguises itself as an image content, which is a way to avoid detection – especially since it’s normal to load a lot of IMG elements into a webpage. This then initiates a GET request, which might be less suspicious than the commonly used POST request method for data extraction.

Figure 11: Network Traffic When Stolen Info Is Sent To The C2

Fake Payment Forms

To provide a sense of this campaign’s scope, it supports at least 18 major payment vendors, mainly in the US, UK, AUS, and FR.

We also have seen around a dozen different fake payment forms created by this campaign, each catering to different vendors and provided in different languages. 

Figure 12: Compiled Fake Payment Forms

Conclusion

Being able to access an open directory in such a campaign has provided us with important information on its scope, as well as how it operates. With that information, we were then able to determine the scope of the attack, and compare the TTPs (Tactics, Techniques, and Procedures) with those used in previous MageCart campaigns.

The information we gathered also shows that because the group behind this campaign utilized the customizable feature of the Inter skimmer, they were able to cater to different websites and payment vendors by tailoring the skimmer to their targeted websites. While we have seen a lot of skimmers used in various MageCart campaigns, Inter’s availability and convenience means it can be bought and used by just about anyone. As a result, we anticipate that we will see much more of it in the future.

-= FortiGuard Lion Team =-

Solutions

FortiGuard Labs has reached out to the e-commerce websites affected by this campaign.

Fortinet customers are protected by the following solutions:

  • Malicious JavaScripts analyzed are detected as JS/Script.DF!tr.pws and JS/Loader.DF!tr.pws
  • The C2 servers are blocked by FortiGuard Web Filtering Service

IOCs

aa1ae020558f7b41dc16ded37176959cbe87cbd2153094a75d67d9410f2d30d
182fbc73d3901caceea7f058e41205be1dca21ac8dc1a63de20907e4099ec3b3
33354c7922ead7588eeebfe0817064fd44f4aae173ea01b35e81e39e40e7e853
37eb8c952d374b49eb933e8955c9cb5ea9a4109c67334880a9b9063b6770f852

C2

Tracker-visitors[.]com
Jquery-web[.]com
Jquery-stats[.]com
jsreload[.]pw
routingzen[.]com

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

http://feeds.feedburner.com/fortinet/blog/threat-research

Leave a Reply