Security researchers have spotted a new tactic being trialed by Magecart hackers: targeting commercial grade routers to skim large volumes of card details.
Magecart is the generic name given to a number of groups using JavaScript code to covertly steal card details from users. The tried-and-tested technique used up until now involves injecting this code into a website’s payment page, either directly or through the compromise of a third-party provider.
However, according to IBM, Magecart Group 5 (MG5) is testing malicious code which could be injected into legitimate JavaScript loaded by Layer 7 routers.
These routers are typically used in venues such as airports, casinos and hotels to serve large numbers of users — theoretically giving the attackers a major haul of card details if they succeed.
“We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” IBM said in its report.
“The compromise can therefore be two-fold: 1. Guest payment data can be stolen when they browse through a compromised router; 2. malicious content can be injected into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to hotels’ free Wi-Fi hot spots.”
IBM also claimed to have found evidence that MG5 had injected malicious digital skimming code into a popular open source mobile module which provides sliding features on devices. This kind of supply chain attack could result in spreading the code to all apps which unwittingly incorporate that module, in order to steal data en masse from users.
This is in keeping with MG5’s usual MO, which is to target larger numbers of victims by infecting third-party platforms, improving the ROI of attacks versus those such as the raids on BA and Newegg which targeted the website/e-commerce provider directly.