{"id":15849,"date":"2019-07-19T11:45:45","date_gmt":"2019-07-19T19:45:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9594\/"},"modified":"2019-07-19T11:45:45","modified_gmt":"2019-07-19T19:45:45","slug":"news-9594","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9594\/","title":{"rendered":"Inter: Skimmer For All"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Analysis Report<br \/>  \u00a0<\/i><\/b><\/p>\n<p>Using web skimmers to steal payment card details has become a good business for cybercriminals. In fact, just last month, FortiGuard Labs discovered a campaign that has stolen the data from over <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/payment-card-details-stolen-magecart.html\">185,000 payment cards<\/a> in a one year operation.<\/p>\n<p>MageCart, the collective name given to the groups responsible for injecting JavaScript skimmers on compromised websites, continues to target online stores, <a href=\"https:\/\/www.scmagazineuk.com\/formjacking-attacks-compromised-50000-retailer-websites-2018\/article\/1526282\">reportedly<\/a> compromising over 50,000 websites in 2018. This predicament represents a serious threat to both businesses and consumers.<\/p>\n<p>FortiGuard Labs recently uncovered yet another campaign using similar tactics, but with a few differences that set them apart from other subgroups. This skimmer is called <a href=\"https:\/\/www.siconsult.com\/si-cyber-intel-sochi-launches-bulletproof-hosting-service-for-malware-operators-spammers\">Inter<\/a>. It is highly customizable, so it can be easily configured to fit the buyer\u2019s needs, and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19, and in this report we\u2019ll be looking at the techniques used by this new campaign, as well as provide a glimpse into how their operation works.<\/p>\n<h2>The Skimmer<\/h2>\n<p>Our investigation began when we found a malicious JavaScript connecting to <i>tracker-visitors[.]com, <\/i>where it was disguised as a visitor traffic tracker for a website. Further analysis on the domain led us to the discovery of several open directories, which then led us to more customized skimmer scripts used by the campaign. And as of June 20<sup>th, <\/sup>new skimmer scripts were still being uploaded.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Open directories at tracker-visitors[.]com\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Open Directories At tracker-visitors[.]com<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Since beginning our investigation, we have identified over 70 skimmer scripts and 11 open directories, but there could possibly be more hidden directories that we have not yet uncovered. As expected, the file names of the malicious JavaScript attempt to imitate commonly used script utilities, as well as names directly related to the compromised website targets. Based on functionalities, the scripts found from the open directories can be categorized to the following types:<\/p>\n<ul>\n<li>Loader<\/li>\n<li>Web skimmer<\/li>\n<li>Fake payment form<\/li>\n<\/ul>\n<h2>Loader<\/h2>\n<p>The loader scripts\u2019 function is to load the skimmer hosted on one of the campaign\u2019s C2s. <i>Figure 2<\/i> shows a code snippet of one of the loaders, <i>googletagver.js<\/i>. Before loading the skimmer, it uses an open-source tool called <a href=\"https:\/\/github.com\/sindresorhus\/devtools-detect\">devtools-detect<\/a> to determine if the script is being executed using a debugger, in which case it will not proceed with loading the skimmer.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_449801263.img.png\" alt=\"Loader script\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Loader Script<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Web Skimmer and Fake Payment Form<\/h2>\n<p>E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally, while others use external <a href=\"https:\/\/en.wikipedia.org\/wiki\/Payment_service_provider\">payment service providers<\/a> (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form.<\/p>\n<p>They use web skimmers for internally managed payments so the attackers can access and intercept entered credit card details from forms that are already on the website. In the case of websites that use PSPs, since the attackers do not have access to the information provided by the customers after they have been redirected to an external payment service, they have to get the information before that happens. They accomplish this by tricking users into filling in their card details on fake forms before the redirection.<\/p>\n<p><b>The following samples are used in our analysis:<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">vmartgo.js &#8211; web skimmer<br \/> cap.js \u00a0&#8211; fake payment form<\/p>\n<p>The skimmers initially check to determine if the site has finished loaded by calling <i>document.readyState <\/i>before continuing to the main routine. The skimmers then execute every half a second.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_1862745116.img.png\" alt=\"Main function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Main Function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After the initial check, Inter retrieves stored cookies named <i>$s<\/i> and <i>$sent<\/i> that contain records of previously encoded stolen payment information. This information is used later in the attack.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_1051258751.img.png\" alt=\"GetFromStorage function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: GetFromStorage Function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen below, the web skimmers call the functions <i>SaveAllFields()<\/i> to get the general information of the victim, and <i>GetCCInfo()<\/i> to specifically capture credit card details. As previously mentioned, for those websites that use PSPs, a fake form can be inserted, hence the addition of the <i>AddForm()<\/i> function<i>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_2098517059.img.png\" alt=\"TrySend function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: TrySend Function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The scripts that inject these forms are customized specifically to the payment page of the compromised websites, knowing where and when to display the fake forms. This means that the threat actors had to identify the layout of each payment page before injection.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_997546946.img.png\" alt=\"Function to add the fake payment form\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Function To Add The Fake Payment Form<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown below, the fake payment form is only added when the <i>\u201cPay by credit card\u201d <\/i>button is clicked. An untrained eye might not see anything suspicious, but by reading carefully, the button is labelled with \u201c<i>VALIDATE AND PROCEED TO PAYMENT.\u201d<\/i> This clearly means that the customer is not expected to provide any credit card details until the next step.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_84756330.img.png\" alt=\"Side by side screenshot of checkout page with the fake form\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Side By Side Screenshot Of Checkout Page With The Fake Form<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>To extract the right information, skimmers usually check for keywords in the current URL to make sure that the skimmer is running on a checkout or payment page. The Inter skimmer takes a different approach. Regardless of what the page the consumer is on, it extracts all entered information on the current webpage by taking values from form elements with the tags <i>input<\/i>, <i>select<\/i>, and <i>textarea<\/i>. The values are then further filtered to extract the actual credit card details.<i><\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_289976367.img.png\" alt=\"SaveAllFields function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: SaveAllFields Function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This data is then converted to JSON and encoded with a simple base64 and stored as a cookie in <i>$s<\/i>. The MD5 hash of the encoded data is then calculated and compared to the entries in the variable <i>$s.Sent<\/i>, which contains a list\/array of MD5 hashes of payment details previously sent to the C2 server. If the hash exists, the data is discarded to avoid sending duplicate data.<\/p>\n<p>It is also worth mentioning that the C2 used for data extraction is also where the malicious JavaScript is hosted.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_2101364525.img.png\" alt=\"SendData function with $sent showing previous md5 hashes\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: SendData Function With $sent Showing Previous md5 Hashes<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The way this malware sends collected information to its C2 server is also notable. It creates an <i>IMG<\/i> element and then sets the image source to the C2, with the encoded payment details as a parameter.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_649624748.img.png\" alt=\"Figure 10 LoadImage function to send the stolen info to the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: LoadImage Function To Send The Stolen Info To The C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Shown below is the traffic once the created IMG element connects to its image source. It disguises itself as an image content, which is a way to avoid detection \u2013 especially since it\u2019s normal to load a lot of IMG elements into a webpage. This then initiates a <i>GET <\/i>request, which might be less suspicious than the commonly used <i>POST<\/i> request method for data extraction.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_692276644.img.png\" alt=\"Network traffic when stolen info is sent to the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Network Traffic When Stolen Info Is Sent To The C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Fake Payment Forms<\/h2>\n<p>To provide a sense of this campaign\u2019s scope, it supports at least 18 major payment vendors, mainly in the US, UK, AUS, and FR.<\/p>\n<p>We also have seen around a dozen different fake payment forms created by this campaign, each catering to different vendors and provided in different languages.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image_1337686828.img.png\" alt=\"Compiled fake payment forms\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Compiled Fake Payment Forms<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion<\/h2>\n<p>Being able to access an open directory in such a campaign has provided us with important information on its scope, as well as how it operates. With that information, we were then able to determine the scope of the attack, and compare the TTPs (Tactics, Techniques, and Procedures) with those used in previous MageCart campaigns.<\/p>\n<p>The information we gathered also shows that because the group behind this campaign utilized the customizable feature of the Inter skimmer, they were able to cater to different websites and payment vendors by tailoring the skimmer to their targeted websites. While we have seen a lot of skimmers used in various MageCart campaigns, Inter\u2019s availability and convenience means it can be bought and used by just about anyone. As a result, we anticipate that we will see much more of it in the future.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2>Solutions<\/h2>\n<p>FortiGuard Labs has reached out to the e-commerce websites affected by this campaign.<\/p>\n<p>Fortinet customers are protected by the following solutions:<\/p>\n<ul>\n<li>Malicious JavaScripts analyzed are detected as JS\/Script.DF!tr.pws and JS\/Loader.DF!tr.pws<\/li>\n<li>The C2 servers are blocked by FortiGuard Web Filtering Service<\/li>\n<\/ul>\n<h2>IOCs<\/h2>\n<p>aa1ae020558f7b41dc16ded37176959cbe87cbd2153094a75d67d9410f2d30d<br \/> 182fbc73d3901caceea7f058e41205be1dca21ac8dc1a63de20907e4099ec3b3<br \/> 33354c7922ead7588eeebfe0817064fd44f4aae173ea01b35e81e39e40e7e853<br \/> 37eb8c952d374b49eb933e8955c9cb5ea9a4109c67334880a9b9063b6770f852<\/p>\n<p>C2<\/p>\n<p>Tracker-visitors[.]com<br \/> Jquery-web[.]com<br \/> Jquery-stats[.]com<br \/> jsreload[.]pw<br \/> routingzen[.]com<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/bBn8L64VTYY\/inter-skimmer-for-all.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/inter-skimmer-for-all\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>Learn about the Inter web skimmer campaign, recently uncovered by FortiGuard Labs&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/bBn8L64VTYY&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15849","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15849"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15849\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}