One of the card skimming groups operating under Magecart umbrella has been caught testing malicious code designed for injection into benign JavaScript files loaded by commercial-grade layer 7 (L7) routers. Such routers are typically used by airports, casinos, hotels, resorts, and other public facilities. The group has also targeted an open-source JavaScript library called Swiper that is used by mobile websites and apps, researchers from IBM X-Force Incident Response and Intelligence Services (IRIS) team revealed.
The group in question is Magecart Group 5 (MG5), which is considered to be among the most prominent. While MG5 focuses on stealing payment card data, it differs from other online skimmer groups that directly compromise their target’s shopping cart platforms in that it mainly targets third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries on the sites.
The X-Force investigation started with two scripts discovered on VirusTotal that had similarities to malicious code associated with previous Magecart campaigns. Upon further search the researchers tracked down a total of 17 malicious samples uploaded since April 2019 by the same user from Russia.
One of the uncovered skimming scripts, called test4.html, points to a script called advnads20.js that was associated in 2012 with rogue advertisement injection through WiFi hotspots in hotels. The script contains code to interact with a commercial grade Layer 7 router.
L7 routers are devices, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.
“Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data. We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” the researchers said.
If successful, the attack could result in a massive payment data theft either when potential victims browsing through a compromised router or if the hackers inject malicious code into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to free WiFi hot spots, the X-Force team warned.
Indicators of Compromise (IoCs), including a list of URLs and domains related to X-Force findings can be found in the last part of the team's report.