The X-Force investigation started with two scripts discovered on VirusTotal that had similarities to malicious code associated with previous Magecart campaigns. Upon further search the researchers tracked down a total of 17 malicious samples uploaded since April 2019 by the same user from Russia.
One of the uncovered skimming scripts, called test4.html, points to a script called advnads20.js that was associated in 2012 with rogue advertisement injection through WiFi hotspots in hotels. The script contains code to interact with a commercial grade Layer 7 router.
L7 routers are devices, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.
“Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data. We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” the researchers said.
If successful, the attack could result in a massive payment data theft either when potential victims browsing through a compromised router or if the hackers inject malicious code into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to free WiFi hot spots, the X-Force team warned.
Indicators of Compromise (IoCs), including a list of URLs and domains related to X-Force findings can be found in the last part of the team's report.