Magecart skimmers are targeting large public Wi-Fi networks for payment details
Russian-linked cyber criminals are compromising industrial-sized routers for their large data banks
Security researchers have observed Magecart skimmers being used actively on routers designed to support public access networks in order to steal payment information.
The findings were made by experts from IBM's X-Force IRIS team and relate specifically to layer 7 (L7) routers which are typically deployed by businesses such as hotels so many customers can access the network at once.
The researchers said that targeting the industries that use L7 routers is common practice for cyber criminals due to "the rich customer data they possess, which often includes payment card data as well - a hallmark of the Magecart conglomerate".
Magecart-related malware began as code injected into websites and of the twelve known Magecart-affiliated groups, Magecart group 5 (MG5) is the most prominent and the group the researchers believe to be behind the router attack.
The Magecart group are perhaps best known for their high-profile attacks on British Airways, Ticketmaster and Newegg in a highly lucrative formjacking campaign that contributed to the ICO's intention to fine BA 183 million under the GDPR.
The investigation began as a result of finding MG5-linked code on VirusTotal, a black hat favourite for checking if code was being actively monitored or had been detected.
One script which particularly caught the attention of the researchers was "test4.html", 17 different versions of which had been uploaded from the same group and location, but with minor alterations. Some of these had "catch" in their file name and these files seemed to contain newly inserted try-catch error handling in order to evade detection.
The researchers said the Magecart skimmers aim to inject malicious web resources into the L7 routers as well as injecting malicious adverts that users may have to click in order to access the public network. In doing so, guest payment data can be stolen if they browse through a compromised router.
Ecommerce sites and banks have been advised of the malicious campaign by IBM's researchers and to make necessary changes to protect their customers.
Navigating the new normal: A fast guide to remote working
A smooth transition will support operations for years to comeDownload now
Leading the data race
The trends driving the future of data scienceDownload now
How to create 1:1 customer experiences at scale
Meet the technology capable of delivering the personalisation your customers craveDownload now
How to achieve daily SAP releases
Accelerate the pace of SAP change to support your digital strategyDownload now