Security news that informs and inspires

Magecart’s Evolving Tactics Target Routers


One of the attack groups operating under the Magecart umbrella may be testing code to inject into routers commonly used in public Wi-Fi networks, IBM researchers said.

When users try to connect to public networks, they frequently have to view an ad (or two) via an interstitial page before the connection is made. Researchers from IBM X-Force X-Force Incident Response and Intelligence Services said Magecart Group 5 (MG5) appears to be trying to load payment card data scraping code into these pages loaded by the routers. That code would be able to steal payment card information the user entered on shopping sites while connected to that network.

“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data,” IBM X-Force IRIS researchers wrote. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”

The L7 routers refer to commercial-grade layer 7 routers commonly used by hotels, restorts, airports, cafes, and other public locations that offer public Wi-Fi networks.These routers support the Layer 7 protocol, meaning it can manipulate traffic on the application layer, such as displaying that interstitial page before letting the user connect to the network.

The attacker can potentially turn the router against its users. One way is to steal payment card details as they are entered into a shopping website while the user is connected to the network. Another is to inject malicious ads into the webpages the user views while connected.

“By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online,” IBM X-Force said.

The code the group is testing would be injected into a specific type of commercial L7 router, although the researchers have not seen any vendor compromises, so far. While the researchers found the files uploaded to VirusTotal, they have not seen any examples of the attacks.

This kind of an attack shows an evolution in Magecart, the collection of groups who have been behind the payment card attacks on major companies such as Ticketmaster and British Airways. Magecart attacks have typically focused on inserting virtual credit card skimmers into web applications (such as shopping carts) to siphon off the card details. Instead of hiding attack code inside JavaScript of PHP files on the website level, MG5 is raising the stakes by hiding the code into the router. The router would be vulnerable to injected code if it had a software vulnerability or was behind on a firmware update.

“What we are seeing are MG5 attack tactics, techniques and procedures targeting resources produced by said vendors,” the researchers said.

Researchers said that retailers should avoid third-party code on their ecommerce applications and to use strong content security policies to prevent malicious code from executing cross-site scripting (XSS), clickjacking and other code injection attacks.

Security researchers tracking Magecart consider MG5 to be among the most prominent, with its own strategy and tactics. MG5 typically targets third-party services used by ecommerce platforms by injecting skimming code into their JavaScript libraries.

The researchers also found that MG5 appears to have corrupted an open source mobile app code that is freely available. It provides a “library-agnostic touch slider” which developers use to build touch galleries within their apps. MG5’s tampering means every developer using the slide would wind up serving up the attack code to anyone using the finished app.

“This strategy is well in line with MG5’s TTPs: compromising a third-party platform to affect a large user base without the added effort,” the researchers wrote.