{
	"id": "928c60bc-441c-408b-9790-d7fe2370f6fa",
	"created_at": "2026-04-06T00:08:46.422887Z",
	"updated_at": "2026-04-10T03:24:11.713318Z",
	"deleted_at": null,
	"sha1_hash": "503e7f45430c9bd5bf9df668e1045a4d227fcd0b",
	"title": "Inter: Skimmer For All",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1881296,
	"plain_text": "Inter: Skimmer For All\r\nBy Rommel Joven\r\nPublished: 2019-06-27 · Archived: 2026-04-05 18:56:57 UTC\r\nA FortiGuard Labs Threat Analysis Report\r\n \r\nUsing web skimmers to steal payment card details has become a good business for cybercriminals. In fact, just last\r\nmonth, FortiGuard Labs discovered a campaign that has stolen the data from over 185,000 payment cards in a one\r\nyear operation.\r\nMageCart, the collective name given to the groups responsible for injecting JavaScript skimmers on compromised\r\nwebsites, continues to target online stores, reportedly compromising over 50,000 websites in 2018. This\r\npredicament represents a serious threat to both businesses and consumers.\r\nFortiGuard Labs recently uncovered yet another campaign using similar tactics, but with a few differences that set\r\nthem apart from other subgroups. This skimmer is called Inter. It is highly customizable, so it can be easily\r\nconfigured to fit the buyer’s needs, and is reportedly being sold in underground forums for $1,300 per license. We\r\nstarted seeing attacks from this campaign on April 19, and in this report we’ll be looking at the techniques used by\r\nthis new campaign, as well as provide a glimpse into how their operation works.\r\nThe Skimmer\r\nOur investigation began when we found a malicious JavaScript connecting to tracker-visitors[.]com, where it was\r\ndisguised as a visitor traffic tracker for a website. Further analysis on the domain led us to the discovery of several\r\nopen directories, which then led us to more customized skimmer scripts used by the campaign. And as of June\r\n20th, new skimmer scripts were still being uploaded.\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 1 of 9\n\nFigure 1: Open Directories At tracker-visitors[.]com\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 2 of 9\n\nSince beginning our investigation, we have identified over 70 skimmer scripts and 11 open directories, but there\r\ncould possibly be more hidden directories that we have not yet uncovered. As expected, the file names of the\r\nmalicious JavaScript attempt to imitate commonly used script utilities, as well as names directly related to the\r\ncompromised website targets. Based on functionalities, the scripts found from the open directories can be\r\ncategorized to the following types:\r\nLoader\r\nWeb skimmer\r\nFake payment form\r\nLoader\r\nThe loader scripts’ function is to load the skimmer hosted on one of the campaign’s C2s. Figure 2 shows a code\r\nsnippet of one of the loaders, googletagver.js. Before loading the skimmer, it uses an open-source tool called\r\ndevtools-detect to determine if the script is being executed using a debugger, in which case it will not proceed\r\nwith loading the skimmer. \r\nFigure 2: Loader Script\r\nWeb Skimmer and Fake Payment Form\r\nE-commerce websites use different platforms for handling payments. For instance, some websites handle the\r\npayments internally, while others use external payment service providers (PSPs). Depending on which platform\r\nthe compromised website uses, the campaign uses either a web skimmer or a fake payment form.\r\nThey use web skimmers for internally managed payments so the attackers can access and intercept entered credit\r\ncard details from forms that are already on the website. In the case of websites that use PSPs, since the attackers\r\ndo not have access to the information provided by the customers after they have been redirected to an external\r\npayment service, they have to get the information before that happens. They accomplish this by tricking users into\r\nfilling in their card details on fake forms before the redirection.\r\nThe following samples are used in our analysis:\r\nvmartgo.js - web skimmer\r\ncap.js  - fake payment form\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 3 of 9\n\nThe skimmers initially check to determine if the site has finished loaded by calling document.readyState before\r\ncontinuing to the main routine. The skimmers then execute every half a second.\r\nFigure 3: Main Function\r\nAfter the initial check, Inter retrieves stored cookies named $s and $sent that contain records of previously\r\nencoded stolen payment information. This information is used later in the attack.\r\nFigure 4: GetFromStorage Function\r\nAs can be seen below, the web skimmers call the functions SaveAllFields() to get the general information of the\r\nvictim, and GetCCInfo() to specifically capture credit card details. As previously mentioned, for those websites\r\nthat use PSPs, a fake form can be inserted, hence the addition of the AddForm() function.\r\nFigure 5: TrySend Function\r\nThe scripts that inject these forms are customized specifically to the payment page of the compromised websites,\r\nknowing where and when to display the fake forms. This means that the threat actors had to identify the layout of\r\neach payment page before injection.\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 4 of 9\n\nFigure 6: Function To Add The Fake Payment Form\r\nAs shown below, the fake payment form is only added when the “Pay by credit card” button is clicked. An\r\nuntrained eye might not see anything suspicious, but by reading carefully, the button is labelled with “VALIDATE\r\nAND PROCEED TO PAYMENT.” This clearly means that the customer is not expected to provide any credit card\r\ndetails until the next step.\r\nFigure 7: Side By Side Screenshot Of Checkout Page With The Fake Form\r\nTo extract the right information, skimmers usually check for keywords in the current URL to make sure that the\r\nskimmer is running on a checkout or payment page. The Inter skimmer takes a different approach. Regardless of\r\nwhat the page the consumer is on, it extracts all entered information on the current webpage by taking values from\r\nform elements with the tags input, select, and textarea. The values are then further filtered to extract the actual\r\ncredit card details.\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 5 of 9\n\nFigure 8: SaveAllFields Function\r\nThis data is then converted to JSON and encoded with a simple base64 and stored as a cookie in $s. The MD5\r\nhash of the encoded data is then calculated and compared to the entries in the variable $s.Sent, which contains a\r\nlist/array of MD5 hashes of payment details previously sent to the C2 server. If the hash exists, the data is\r\ndiscarded to avoid sending duplicate data.\r\nIt is also worth mentioning that the C2 used for data extraction is also where the malicious JavaScript is hosted.\r\nFigure 9: SendData Function With $sent Showing Previous md5 Hashes\r\nThe way this malware sends collected information to its C2 server is also notable. It creates an IMG element and\r\nthen sets the image source to the C2, with the encoded payment details as a parameter. \r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 6 of 9\n\nFigure 10: LoadImage Function To Send The Stolen Info To The C2\r\nShown below is the traffic once the created IMG element connects to its image source. It disguises itself as an\r\nimage content, which is a way to avoid detection – especially since it’s normal to load a lot of IMG elements into\r\na webpage. This then initiates a GET request, which might be less suspicious than the commonly used POST\r\nrequest method for data extraction.\r\nFigure 11: Network Traffic When Stolen Info Is Sent To The C2\r\nFake Payment Forms\r\nTo provide a sense of this campaign’s scope, it supports at least 18 major payment vendors, mainly in the US, UK,\r\nAUS, and FR.\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 7 of 9\n\nWe also have seen around a dozen different fake payment forms created by this campaign, each catering to\r\ndifferent vendors and provided in different languages. \r\nFigure 12: Compiled Fake Payment Forms\r\nConclusion\r\nBeing able to access an open directory in such a campaign has provided us with important information on its\r\nscope, as well as how it operates. With that information, we were then able to determine the scope of the attack,\r\nand compare the TTPs (Tactics, Techniques, and Procedures) with those used in previous MageCart campaigns.\r\nThe information we gathered also shows that because the group behind this campaign utilized the customizable\r\nfeature of the Inter skimmer, they were able to cater to different websites and payment vendors by tailoring the\r\nskimmer to their targeted websites. While we have seen a lot of skimmers used in various MageCart campaigns,\r\nInter’s availability and convenience means it can be bought and used by just about anyone. As a result, we\r\nanticipate that we will see much more of it in the future.\r\n-= FortiGuard Lion Team =-\r\nSolutions\r\nFortiGuard Labs has reached out to the e-commerce websites affected by this campaign.\r\nFortinet customers are protected by the following solutions:\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 8 of 9\n\nMalicious JavaScripts analyzed are detected as JS/Script.DF!tr.pws and JS/Loader.DF!tr.pws\r\nThe C2 servers are blocked by FortiGuard Web Filtering Service\r\nIOCs\r\naa1ae020558f7b41dc16ded37176959cbe87cbd2153094a75d67d9410f2d30d\r\n182fbc73d3901caceea7f058e41205be1dca21ac8dc1a63de20907e4099ec3b3\r\n33354c7922ead7588eeebfe0817064fd44f4aae173ea01b35e81e39e40e7e853\r\n37eb8c952d374b49eb933e8955c9cb5ea9a4109c67334880a9b9063b6770f852\r\nC2\r\nTracker-visitors[.]com\r\nJquery-web[.]com\r\nJquery-stats[.]com\r\njsreload[.]pw\r\nroutingzen[.]com\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nhttps://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html"
	],
	"report_names": [
		"inter-skimmer-for-all.html"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434126,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/503e7f45430c9bd5bf9df668e1045a4d227fcd0b.pdf",
		"text": "https://archive.orkl.eu/503e7f45430c9bd5bf9df668e1045a4d227fcd0b.txt",
		"img": "https://archive.orkl.eu/503e7f45430c9bd5bf9df668e1045a4d227fcd0b.jpg"
	}
}