Magecart Group Targets Routers Behind Public Wi-Fi Networks

Magecart Group 5 has been spotted testing and preparing code to be injected onto commercial routers – potentially opening up guests connecting to Wi-Fi networks to payment data theft.

A faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotels. If successful, attackers would able to compromise these commercial-grade routers and be able to siphon payment data of users joining Wi-Fi networks at airports, coffee shops, hotels and other public facilities.

Researchers said they have found evidence that Magecart Group 5 (MG5) – one of several groups operating under the Magecart umbrella – is preparing the code to be injected into benign JavaScript files. From there, those files would be loaded into commercial-grade routers that support the layer 7 (L7) protocol. It is those type routers, with L7 support, which are typically used in free or fee Wi-Fi settings.

“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data,” said researchers with IBM’s X-Force security team in a Wednesday post. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”

It’s important to note that researchers have not discovered any actual vendor compromise in the wild. “What we are seeing are MG5 attack tactics, techniques and procedures targeting resources produced by said vendors,” they said. “An actual attack would require further steps on MG5’s part.” Threatpost has reached out to researchers regarding which of the specific “resources” mentioned were targeted.

L7 refers to the top layer of the Open Systems Interconnect (OSI) model, also know as the application layer. L7 is typically used in commercial-class routers because of its ability to balance internet traffic loads, ensure quality of service and supports displaying an interstitial page (or ad) while users connect to a Wi-Fi service’s central portal.

“When offering Wi-Fi service, most vendors do not support proxying adverts or JavaScript injection,” researchers said. “So why do we often see ads when we connect via captive portals? That’s because Wi-Fi vendors looking to make extra profit from third parties may offer the hotel a discounted price for the Wi-Fi operation if it allows midstream ads to run before guests connect.”

That opens the door for attackers to inject the malicious code via these JavaScript files – which is what researchers fear that Magecart Group 5 is aiming to do.

“We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet,” researchers said.

If the code is successfully injected into the router, the subsequent attack can then be twofold, researchers said. Attackers can steal guest payment data when they browse on e-commerce sites through a compromised router. They can also inject malicious ads into webpages viewed by all connected guest devices (including those who pay to use the internet and those connecting to a hotel’s free Wi-Fi hot spots).

Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team, said that injecting JavaScript payloads into the connections of unsuspecting hotel guests is a “huge win for scammers looking to gain access to sensitive data or resources.”

“In addition to being able to completely alter the look and behavior of unprotected sites, JavaScript can initiate functions which persist across network changes potentially giving attackers access to restricted networks,” Young said. “Consider for example someone using the Wi-Fi from a hotel while on a business trip to a satellite office. JavaScript loaded from this hotel Wi-Fi may actually remain executing (through WebWorkers or open tabs) the following morning when the same computer is connected to the corporate intranet. This JavaScript can now, to some extent, relay connections through the unsuspecting employee laptop and onto network resources.”

The code testing is a departure from the typical attack vector of Magecart groups, responsible for the payment-card attacks on TicketmasterForbesBritish AirwaysNewegg and others. Typically the factions under the Magecart umbrella insert virtual credit-card skimmers into a web application (usually the shopping cart), and proceed to steal credit card information to sell on the black market.

Magecart Group 5 is considered to be among the most prominent Magecart group, researchers said – and also differs in its targeting strategy and attack tactics.

“Unlike other online skimmer groups that directly compromise their target’s shopping cart platforms, Magecart Group 5 focuses on targeting third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide,” researchers said.

Researchers recommend that retailers (on the server and client-side) can protect against Magecart attacks by avoiding third-party code and using strong content security policies. Meanwhile bank and cart issuers should educate mercahnts about the Magecart groups.

Suggested articles