A FortiGuard Labs Threat Analysis Report
Using web skimmers to steal payment card details has become a good business for cybercriminals. In fact, just last month, FortiGuard Labs discovered a campaign that has stolen the data from over 185,000 payment cards in a one year operation.
FortiGuard Labs recently uncovered yet another campaign using similar tactics, but with a few differences that set them apart from other subgroups. This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs, and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19, and in this report we’ll be looking at the techniques used by this new campaign, as well as provide a glimpse into how their operation works.
The loader scripts’ function is to load the skimmer hosted on one of the campaign’s C2s. Figure 2 shows a code snippet of one of the loaders, googletagver.js. Before loading the skimmer, it uses an open-source tool called devtools-detect to determine if the script is being executed using a debugger, in which case it will not proceed with loading the skimmer.
E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally, while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form.
They use web skimmers for internally managed payments so the attackers can access and intercept entered credit card details from forms that are already on the website. In the case of websites that use PSPs, since the attackers do not have access to the information provided by the customers after they have been redirected to an external payment service, they have to get the information before that happens. They accomplish this by tricking users into filling in their card details on fake forms before the redirection.
The following samples are used in our analysis:
vmartgo.js - web skimmer
cap.js - fake payment form
The skimmers initially check to determine if the site has finished loaded by calling document.readyState before continuing to the main routine. The skimmers then execute every half a second.
After the initial check, Inter retrieves stored cookies named $s and $sent that contain records of previously encoded stolen payment information. This information is used later in the attack.
As can be seen below, the web skimmers call the functions SaveAllFields() to get the general information of the victim, and GetCCInfo() to specifically capture credit card details. As previously mentioned, for those websites that use PSPs, a fake form can be inserted, hence the addition of the AddForm() function.
The scripts that inject these forms are customized specifically to the payment page of the compromised websites, knowing where and when to display the fake forms. This means that the threat actors had to identify the layout of each payment page before injection.
As shown below, the fake payment form is only added when the “Pay by credit card” button is clicked. An untrained eye might not see anything suspicious, but by reading carefully, the button is labelled with “VALIDATE AND PROCEED TO PAYMENT.” This clearly means that the customer is not expected to provide any credit card details until the next step.
To extract the right information, skimmers usually check for keywords in the current URL to make sure that the skimmer is running on a checkout or payment page. The Inter skimmer takes a different approach. Regardless of what the page the consumer is on, it extracts all entered information on the current webpage by taking values from form elements with the tags input, select, and textarea. The values are then further filtered to extract the actual credit card details.
This data is then converted to JSON and encoded with a simple base64 and stored as a cookie in $s. The MD5 hash of the encoded data is then calculated and compared to the entries in the variable $s.Sent, which contains a list/array of MD5 hashes of payment details previously sent to the C2 server. If the hash exists, the data is discarded to avoid sending duplicate data.
The way this malware sends collected information to its C2 server is also notable. It creates an IMG element and then sets the image source to the C2, with the encoded payment details as a parameter.
Shown below is the traffic once the created IMG element connects to its image source. It disguises itself as an image content, which is a way to avoid detection – especially since it’s normal to load a lot of IMG elements into a webpage. This then initiates a GET request, which might be less suspicious than the commonly used POST request method for data extraction.
To provide a sense of this campaign’s scope, it supports at least 18 major payment vendors, mainly in the US, UK, AUS, and FR.
We also have seen around a dozen different fake payment forms created by this campaign, each catering to different vendors and provided in different languages.
Being able to access an open directory in such a campaign has provided us with important information on its scope, as well as how it operates. With that information, we were then able to determine the scope of the attack, and compare the TTPs (Tactics, Techniques, and Procedures) with those used in previous MageCart campaigns.
The information we gathered also shows that because the group behind this campaign utilized the customizable feature of the Inter skimmer, they were able to cater to different websites and payment vendors by tailoring the skimmer to their targeted websites. While we have seen a lot of skimmers used in various MageCart campaigns, Inter’s availability and convenience means it can be bought and used by just about anyone. As a result, we anticipate that we will see much more of it in the future.
-= FortiGuard Lion Team =-
FortiGuard Labs has reached out to the e-commerce websites affected by this campaign.
Fortinet customers are protected by the following solutions:
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.