VERY IMPORTANT

A new modified version of Inter—the precursor to MobileInter—was first reported in March 2020. Since then, Magecart operators have altered it even more. MobileInter, first reported in April 2021, focuses solely on mobile users and targets login credentials and payment data. The first iteration of MobileInter downloaded exfil URLs hidden in images from GitHub repositories. In contrast, this new MobileInter contains the exfiltration URLs within the skimmer code itself and uses WebSockets for data exfil. Hiding its code by injecting it into images on the compromised websites is yet another new wrinkle added by operators. MobileInter also disguises itself and its infrastructure, leaning heavily on Google to do so. It hides as Google tracking services, uses domains that mimic Google, and abuses Google IPs.