Hackers targeting commercial routers to inject credit card stealing code in shopping sites

Magecart 5 is targeting Layer 7 routers used in airports, casinos, hotels, and resorts, and others, to steal credit card data on popular US and Chinese shopping sites.

Security expert Frank Abagnale: Drop the debit card and freeze your credit Con man turned cybersecurity expert Frank Abagnale talks with TechRepublic's Karen Roby about the steps people can take to protect their identity and encourage better credit practices.

Researchers from IBM's X-Force Incident Response and Intelligence Services (IRIS) team identified a Magecart campaign targeting commercial-grade Layer 7 routers—used in large venues that serve a transient user base such as airports, casinos, hotels, and resorts—to exfiltrate credit card data from users shopping for goods on US and Chinese websites. 

The routers in question are capable of injecting advertisements into web pages viewed on websites using this connection in an effort to recuperate costs of running free Wi-Fi service. While IRIS is quick to note that there is no evidence of vendor compromise, the attackers are exploring resources provided by the device vendor.

SEE: 10 tips for new cybersecurity pros (free PDF) (TechRepublic)

IRIS identified roughly 17 files uploaded to VirusTotal with minor changes and behavioral differences, including JavaScript skimmers, referrer redirectors, random domain generators, and script injectors. Uploading test code to VirusTotal by malicious actors to determine if a payload is detected as a threat is a common practice. 

The novel part is the resource being leveraged in the attack. Level 7 routers provides "access to a large number of captive users with very high turnover, like in the case of airports or hotels," according to IRIS, making it a "a lucrative concept for attackers looking to compromise payment data. We believe that [Magecart] aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet," the report stated.

IRIS advises that ecommerce retailers use extension blacklists, as well as scrutinize vendor-provided JavaScript files for integrity.

Magecart refers to at least 12 distinct financially-motivated cybercrime groups that leverage online skimming attacks to exfiltrate credit card data. The most active of these groups, Magecart 5 (MG5), is posited by IRIS to be the origin of router attack.

The IRIS report lands amid a burst of activity from Magecart threat groups. For more, check out "Old Magecart web domains resurrected for fraudulent ad schemes" and "Magecart strikes again: hotel booking websites come under fire" on ZDNet.

Also see

istock-480137882.jpg

BrianAJackson, Getty Images/iStockphoto