A faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotels. If successful, attackers would able to compromise these commercial-grade routers and be able to siphon payment data of users joining Wi-Fi networks at airports, coffee shops, hotels and other public facilities.
“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data,” said researchers with IBM’s X-Force security team in a Wednesday post. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”
It’s important to note that researchers have not discovered any actual vendor compromise in the wild. “What we are seeing are MG5 attack tactics, techniques and procedures targeting resources produced by said vendors,” they said. “An actual attack would require further steps on MG5’s part.” Threatpost has reached out to researchers regarding which of the specific “resources” mentioned were targeted.
L7 refers to the top layer of the Open Systems Interconnect (OSI) model, also know as the application layer. L7 is typically used in commercial-class routers because of its ability to balance internet traffic loads, ensure quality of service and supports displaying an interstitial page (or ad) while users connect to a Wi-Fi service’s central portal.
“We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet,” researchers said.
If the code is successfully injected into the router, the subsequent attack can then be twofold, researchers said. Attackers can steal guest payment data when they browse on e-commerce sites through a compromised router. They can also inject malicious ads into webpages viewed by all connected guest devices (including those who pay to use the internet and those connecting to a hotel’s free Wi-Fi hot spots).
Magecart Group 5
The code testing is a departure from the typical attack vector of Magecart groups, responsible for the payment-card attacks on Ticketmaster, Forbes, British Airways, Newegg and others. Typically the factions under the Magecart umbrella insert virtual credit-card skimmers into a web application (usually the shopping cart), and proceed to steal credit card information to sell on the black market.
Magecart Group 5 is considered to be among the most prominent Magecart group, researchers said – and also differs in its targeting strategy and attack tactics.
Researchers recommend that retailers (on the server and client-side) can protect against Magecart attacks by avoiding third-party code and using strong content security policies. Meanwhile bank and cart issuers should educate mercahnts about the Magecart groups.