A New Threat Actor Spotted in the Card Skimming Ecosystem

Card Skimming Ecosystem


The ongoing COVID-19 pandemic has left a profound impact on the payments ecosystem threat landscape throughout 2020 and into 2021. With online shopping witnessing a surge bigger than ever, digital skimming attacks have become a top threat for the payments ecosystem.

A simple digital skimming attack involves injecting malicious code into a merchant’s site to harvest payment card details from the site’s checkout page. However, in the past year, there has been a vast evolution in the injection process and skimmer code as well. To add to the trouble, a new threat actor has emerged lately with new tricks up its sleeve.

It all started with the discovery of MobileInter

In May, RisKIQ researchers discovered a new skimmer called MobileInter that focused exclusively on mobile users.

  • RiskIQ reported that this new customized malware is proof that Magecart operators are looking for opportunities to spread their attacks to a wider range of victims.
  • Upon being executed on a user’s mobile phone, the malware performs various checks to ensure that it is skimming a transaction made on a mobile device.

A twist in the tale

A month after, the RiskIQ researchers came up with new details related to the MobileInter skimmer.

  • They identified several websites, services, and social media accounts connected to an authentication activity known as bit2check, a part of the card-skimming network.
  • Some bit2check domains shared the same hosting pattern as Magecart domains used for abusing Alibaba and Google hosting services. Moreover, these domains were promoted via Telegram channels such as ‘realcvvshoplv’.
  • Upon further analysis, researchers found that the individual behind bit2check is a Kurdish actor called Hama.
  • It was uncovered that the threat actor had a network of other sites such as credit card validators and stolen credit card data shops.

What do the researchers say?

Researchers explain that the discovery of Bit2check is another cog in the massive card skimming ecosystem, catering to skimmers trying to validate their plunder or purchase more stolen data.


With the addition of a new facet to the ever-expanding skimming threat landscape, it has become crucial for organizations in the retail sector to raise the level of their cyber defenses. Having the right security measures in place can help expose skimming threats lurking within websites and apps.