Homoglyph Attacks Used in “Inter” Skimming Kit
Malwarebytes continued research into credit card skimming has led them to an attack known as homoglyph attack. The fundamentals of the attack are where characters of encoding sets like ASCII or UNICODE have similar looking letters, like upper case “I” and lower case ”L”. This can be useful in registering faulty domain names because even though the characters look the same, they have different numerical values and are inherently interpreted as different characters. Uppercase “i” is ASCII 73, and lowercase “L” is ASCII 108. Hence a domain names “google.com” and “googIe.com” are different URLs because of the single character difference. This type of attack has been seen used by the Magecart group.
Discovery of this homoglyph attack was triggered by a YARA rule when researchers at Malwarebytes were scanning a file uploaded to Virus Total. Even though Inter is a popular framework, it is never seen as an .ico file and the origin of the file is also unknown. A file exfiltration server was found in the file as a URL, and the homoglyph attack was on the work ‘cigarpage’ and ‘cigarpaqe’. The original site , ‘cigarpage’, was injected with some html code referencing an icon file and plays a role in loading a copycat favicon. The original favicon, the logo on website tab in your browser used for branding, is small the copycat website loads a large file which is JavaScript file. The JS file, also the trigger for the YARA rule, is the skimmer which monitors form fields and the gate used for data exfil also hosts the malicious favicon.
Although the attack is unknown at this point, the homoglyph attack is what Malwarebytes authors see as a historic tie to the Magecart Group 8. The homoglyph attack itself plays only a small part in the attack, when looking at the malicious infrastructure (51,83,2O9.11), many homoglyph domains are registered. One domain, ‘zoplm.com’ was previously associated with Magecart Group 8 and CoffeMokko, a different skimming code.
Homoglyphs are only one layer of the attack, and code and technique reuse make attribution difficult we know that malicious infrastructures tend spring back. Older IOC’s still prove helpful because sites have never been cleared up and still load 3rd scripts. IOC’s have been posted by Malwarebytes, as well as the in-depth article. Victim sites should be notified, consumers who fall victim to these types of skimming attacks should contact your card providers and consider taking steps to freeze your cards or implement other recovery strategies.
Sources: