New research from RiskIQ has concluded there is one hacking group responsible for the Inter skimmer kit behind the Magecart attacks, which compromises one ecommerce site every 16 minutes. RiskIQ said that over 1,500 websites have been infected.
Last month, jewellery and accessories retailer Claire’s was forced to remove a Magecart credit card skimmer from its website. The site appears to have been hacked back in March to take advantage of the closure of its high street stores during the Covid-19 coronavirus pandemic.
Describing the findings in a blog post, RiskIQ threat researcher Jordan Herman described the Inter skimmer kit as a “prolific digital skimming solution” used by several different Magecart actors.
Along with Magecart, RiskIQ found that the Inter skimmer also has connections to ransomware, fast flux DNS services, and suspicious domains potentially used for phishing or malware command and control activity.
Herman said the actor behind the kit has used several aliases but is most widely and recently known as “Sochi”.
In 2016, an actor using the alias “poter” developed an attack kit called the SniFall skimmer, according to Herman. RiskIQ determined that a subsequent attack kit, “Inter”, released in 2018 by Sochi, used the same infrastructure, which it said suggests that that “poter” and Sochi are the same actor.
The developer’s underground sales activities were documented in a 2018 report by RiskIQ and Flashpoint called Inside Magecart. The report found that the kit sold by poter in July of 2016 was priced at $5,000. Among the features and functions claimed by the developer in online adverts for poter was the ability to remove any duplicate entries among the skimmed data, a feature that was also included in later skimmers created by this actor, Herman stated in the post.
RiskIQ reported that on December 2, 2016, Sochi posted a new sales pitch in Russian for the latest skimmer (now called Inter). Herman said Sochi also updated the payment structure, setting the new skimmer’s licensing price at $1,300.
“This time, they included an option for a 30/70 profit-sharing arrangement instead of the fee. This drop in price and more flexible stance on payment options likely indicated increased product popularity,” Herman noted in the blog post.
RiskIQ found that the skimmer has been in constant development, using different approaches to avoid detection since 2017 and early 2018. According to Herman, other early versions of the Inter Skimmer were probably being used for research and development purposes. Several variations were implemented, which RiskIQ believes were focused on obfuscation and encryption of the skimming code to avoid detection.
These improvements have made Magecart attacks based on the Inter Skimming Kit more potent. “Today, the Inter Skimming Kit is wildly efficient and more difficult to detect due to this continuous improvement,” said Herman. “Modern Inter skimmers can even integrate an obfuscation service if the actor has access to an API key to access a far wider variety of obfuscation techniques.
“Other new features include creating fake payment forms on sites that use payment service providers, such as PayPal, and quick, automatic checks of new exfiltrated data against previously skimmed data via MD5 and cookie information to identify and remove duplicates.”