Magecart 5 is targeting Layer 7 routers used in airports, casinos, hotels, and resorts, and others, to steal credit card data on popular US and Chinese shopping sites.
Researchers from IBM's X-Force Incident Response and Intelligence Services (IRIS) team identified a Magecart campaign targeting commercial-grade Layer 7 routers—used in large venues that serve a transient user base such as airports, casinos, hotels, and resorts—to exfiltrate credit card data from users shopping for goods on US and Chinese websites.
The routers in question are capable of injecting advertisements into web pages viewed on websites using this connection in an effort to recuperate costs of running free Wi-Fi service. While IRIS is quick to note that there is no evidence of vendor compromise, the attackers are exploring resources provided by the device vendor.
IRIS identified roughly 17 files uploaded to VirusTotal with minor changes and behavioral differences, including JavaScript skimmers, referrer redirectors, random domain generators, and script injectors. Uploading test code to VirusTotal by malicious actors to determine if a payload is detected as a threat is a common practice.
The novel part is the resource being leveraged in the attack. Level 7 routers provides "access to a large number of captive users with very high turnover, like in the case of airports or hotels," according to IRIS, making it a "a lucrative concept for attackers looking to compromise payment data. We believe that [Magecart] aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet," the report stated.
IRIS advises that ecommerce retailers use extension blacklists, as well as scrutinize vendor-provided JavaScript files for integrity.
Magecart refers to at least 12 distinct financially-motivated cybercrime groups that leverage online skimming attacks to exfiltrate credit card data. The most active of these groups, Magecart 5 (MG5), is posited by IRIS to be the origin of router attack.
The IRIS report lands amid a burst of activity from Magecart threat groups.