MobileInter Description

MobileInter is a new incarnation of the Inter skimmer code, a feature extremely popular among Magecart threat actors. The creators of MobileInter used Inter as a basis but further modified and expanded its functionality to better suit their particular set targets. Indeed, MobileInter is leveraged against mobile users solely. Considering the sheer volume of online spending that occurs on mobile devices, it is no wonder that the Magecart gangs are adjusting their operations to exploit it as well.

MobileInter Characteristics

The main aspects of MobileInter are its focus on mobile users and the ability to collect login credentials and payment data. During the time that the researchers at RiskIQ tracked the threat, they observed a definite evolution in the techniques used for data exfiltration and anti-detection.

The first variants of MobileInter fetched images from GitHub that carried the exfiltration URLs. Later iterations ditched the GitHub repositories and begun carrying the exfiltration URLs within their skimmer code. Furthermore, the latest MobileInter versions use WebSockets for data upload.

As the threat actor behind MobileInter is interested in targeting only mobile users, they have equipped their malware tool with multiple tests designed to determine if the payment transactions are made on a suitable device. For starters, the threat conducts a regex check against the location of the window to discern if a checkout page is open currently. Then, the same regex check also tries to see if the userAgent is set for one of several mobile browsers. MobileInter also tracks the dimensions of the browser window and matches them with what is expected for a mobile browser. If the checks return a positive result, the malware proceeds to skim the targeted data and exfiltrate it through a series of functions.

Evasion Techniques

To mask its nefarious activities, MobileInter gives the names of its functions that mimic those of legitimate services. For example, the 'rumbleSpeed' function, which determines the rate at which data exfiltration is performed, is designed to appear as part of the jRumble plugin for jQuery.

As for the domains employed in the operation, they too use legitimate services as disguises. Among the numerous domains related to the threat, some impersonate jQuery, Amazon, Alibaba, etc. The more recent MobileInter operations are modeled after Google services entirely, including the exfiltration URLs and the WebSocket URL that masks itself as Google Tag Manager.