IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Magecart skimmers are targeting large public Wi-Fi networks for payment details

Russian-linked cyber criminals are compromising industrial-sized routers for their large data banks

Hacker in front of a Russian flag

Security researchers have observed Magecart skimmers being used actively on routers designed to support public access networks in order to steal payment information.

The findings were made by experts from IBM's X-Force IRIS team and relate specifically to layer 7 (L7) routers which are typically deployed by businesses such as hotels so many customers can access the network at once.

The researchers said that targeting the industries that use L7 routers is common practice for cyber criminals due to "the rich customer data they possess, which often includes payment card data as well - a hallmark of the Magecart conglomerate".

Magecart-related malware began as code injected into websites and of the twelve known Magecart-affiliated groups, Magecart group 5 (MG5) is the most prominent and the group the researchers believe to be behind the router attack.

The Magecart group are perhaps best known for their high-profile attacks on British Airways, Ticketmaster and Newegg in a highly lucrative formjacking campaign that contributed to the ICO's intention to fine BA 183 million under the GDPR.

Researchers attributed the attack to MG5 based on two JavaScript skimmer file samples they found to have the same author, deliberate naming scheme and upload location of Murino, Russia.

The investigation began as a result of finding MG5-linked code on VirusTotal, a black hat favourite for checking if code was being actively monitored or had been detected.

One script which particularly caught the attention of the researchers was "test4.html", 17 different versions of which had been uploaded from the same group and location, but with minor alterations. Some of these had "catch" in their file name and these files seemed to contain newly inserted try-catch error handling in order to evade detection.

It was based off an old script previously discovered in 2012 called "advnads20.js" - code linked with previous (albeit benign) JavaScript injection of online ads into any and all web pages viewed over hotel Wi-Fi access.

"Injecting JavaScript payloads into the connections of unsuspecting hotel guests is a huge win for scammers looking to gain access to sensitive data or resources," Craig Young, computer security researcher for Tripwire's vulnerability and exposure research team to IT Pro.

"Consider for example someone using the WiFi from a hotel while on a business trip to a satellite office. JavaScript loaded from this hotel WiFi may actually remain executing (through WebWorkers or open tabs) the following morning when the same computer is connected to the corporate intranet. This JavaScript can now, to some extent, relay connections through the unsuspecting employee laptop and onto network resources."

The researchers said the Magecart skimmers aim to inject malicious web resources into the L7 routers as well as injecting malicious adverts that users may have to click in order to access the public network. In doing so, guest payment data can be stolen if they browse through a compromised router.

Ecommerce sites and banks have been advised of the malicious campaign by IBM's researchers and to make necessary changes to protect their customers.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022