“With nearly three out of every four dollars spent online done via a mobile device, it’s no wonder Magecart operators are looking to target this lucrative landscape,” the report said. To determine MobileInter’s functionality and links to other skimmer activities, the RiskIQ team performed a detailed analysis.
A Mobile-Only Skimmer: MobileInter
As MobileInter is entirely targeting Mobile users, the malware carries out various checks to determine the type of device.
- First, it performs a regex check against the window location to determine if it is on a checkout page.
- A regex check also determines if the user’s userAgent is set to one of several mobile browsers, such as iPhone.
- The skimmer also checks the browser window dimensions to see if they are a size that’s expected for a mobile browser.
Once the checks are finalized, the skimming malware proceeds to execute its data skimming and exfiltration using other functionalities. To avoid detection, the malware authors named the processes as legitimate services.
“For example, ‘rumbleSpeed,’ a function that determines how often the data exfil function is attempted, is meant to blend in with the jRumble plugin for jQuery, which “rumbles” elements of a webpage to pull user focus,” RiskIQ said.
It is also noteworthy that the MobileInter skimmer deploys other methods to hide its operations. One of these methods is masquerading its domains as legitimate services. Apparently, MobileInter’s list of domains is quite long and includes names that imitate Alibaba, Amazon, and jQuery. However, its most recent focus is imitating Google services. “Both exfil URLs used by the skimmer mimic Google, with the WebSocket URL masquerading as Google Tag Manager,” the report noted.
The researchers also observed an infrastructure overlap with other skimming cybercrime groups. It is certain that MobileInter belongs to a broader, shared skimming infrastructure and “bulletproof hosting that services multiple other skimmers and malware.” The same pattern has also been observed in skimming malware families such as Grelos.
Previous Magecart Skimmers
Grelos was released in November, 2020. Also analyzed by RiskIQ researchers, this strain comprises a rehash of the original code first spotted in 2015. Grelos consists of a loader and a skimmer that uses base64 obfuscation that hides a two-stage skimmer. It is noteworthy that the Grelos skimmer has been around since 2015, with its original version associated with Magecart Groups 1 and 2, the report points out. Some threat actors continue to use some of the original domains deployed to load the skimmer.