Cybercriminals plan to make L7 routers serve card stealing code
One of the Magecart cybercriminal groups is testing a new method for grabbing users’ credit card info: malicious skimming code that can be loaded into files used by L7 routers.
What is Magecart?
Magecart is an umbrella label for a growing number of cybercriminals groups that perform JavaScript-based credit card skimming attacks, usually by:
- Compromising individual e-commerce sites
- Compromising third-party sources of scripts that online shop owners use to add various functionalities or serve ads
- Compromising cloud storage that is used to serve websites’ static content.
A novel approach
Researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team have spotted and discovered 17 “test” files fed into VirusTotal, and believe that person is part or working for Magecart Group 5 (MG5), which mostly focuses on targeting third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide.
A thorough analysis of those files lead them to believe that the group is working on code that will allow them to target and compromise layer 7 routers.
L7 routers are commercial grade routers, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.
They usually lead to “captive portals” and require users to sign in (or pay) to use the service. Most importantly, though, these routers can manipulate traffic (mostly to serve ads) and, apparently, this is how MG5 plans to inject their malicious skimming scripts into users’ browsers sessions.
The researchers also discovered that MG5 has recently injected malicious code into an open source and highly popular JavaScript library designed to make PC-based browsing compatible with mobile viewing.
“That open source code is provided as a free, MIT licensed tool designed to provide swiping features on mobile devices. By infecting that code at its source, MG5 can infect and compromise all the apps that incorporate that module into their code and steal data from users who eventually download the booby-trapped apps,” they explained.
What can we do about it?
Avoiding Magecart groups’ payment card skimming code is getting more difficult as time passes. Apart from giving up on online shopping, there’s not much consumers can do to prevent falling victim to router-level skimming or skimming via compromised libraries and apps.
Online merchants, on the other hand, can do something: they can avoid insecure third-party code, implement code/file integrity checks for third-party scripts, use strong Content Security Policies, allow only vetted scripts to access payment data, and so on.
App developers should carefully vet the open source code they mean to include in their offerings.