26 September 2019

Magecart group is testing a new way of siphoning credit card data

Magecart group is testing a new way of siphoning credit card data

One of the card skimming groups operating under Magecart umbrella has been caught testing malicious code designed for injection into benign JavaScript files loaded by commercial-grade layer 7 (L7) routers. Such routers are typically used by airports, casinos, hotels, resorts, and other public facilities. The group has also targeted an open-source JavaScript library called Swiper that is used by mobile websites and apps, researchers from IBM X-Force Incident Response and Intelligence Services (IRIS) team revealed.

The group in question is Magecart Group 5 (MG5), which is considered to be among the most prominent. While MG5 focuses on stealing payment card data, it differs from other online skimmer groups that directly compromise their target’s shopping cart platforms in that it mainly targets third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries on the sites.

The X-Force investigation started with two scripts discovered on VirusTotal that had similarities to malicious code associated with previous Magecart campaigns. Upon further search the researchers tracked down a total of 17 malicious samples uploaded since April 2019 by the same user from Russia.

One of the uncovered skimming scripts, called test4.html, points to a script called advnads20.js that was associated in 2012 with rogue advertisement injection through WiFi hotspots in hotels. The script contains code to interact with a commercial grade Layer 7 router.

L7 routers are devices, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.

“Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data. We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” the researchers said.

If successful, the attack could result in a massive payment data theft either when potential victims browsing through a compromised router or if the hackers inject malicious code into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to free WiFi hot spots, the X-Force team warned.

Indicators of Compromise (IoCs), including a list of URLs and domains related to X-Force findings can be found in the last part of the team's report.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019