Magecart skimmers seen targeting routers for customer Wi-Fi networks

That captive portal may be more captive than you know.

Enlarge / That captive portal may be more captive than you know.
John Moore / Getty Images

Threat researchers at IBM X-Force IRIS have spotted activity by a known group of criminal Web malware operators that appears to be targeting commercial layer 7 routers—the type typically associated with Wi-Fi networks that use “captive portals” to either charge for Internet access or require customers to sign in.

The group, called “Magecart 5,” is one of several factions of criminal groups originally associated with the Magecart “web-skimmer,” a class of JavaScript-based payment card stealing malware that has been used in the past to target customers on e-commerce websites. Ticketmaster, British Airways, and NewEgg customers were just some of the victims in a rash of exploits by Magecart rings in 2018, and the malware operators have continued to be active in 2019. According to researchers, hundreds of thousands of merchant sites have been compromised through attacks on third-party services.

In the past, Magecart attacks have focused on exploiting Web infrastructure components of victims’ e-commerce sites. In the case of British Airways and NewEgg, a Web server was compromised, and the attackers added 22 new lines of code to an existing JavaScript library. The code redirected some traffic to a lookalike domain name used to capture payment data. In TicketMaster’s case, it was a third-party service provider’s server that was compromised. And in one attack on Umbro Brazil, two different Magecart gangs hit the site—with one sabotaging the other’s skimming operations by feeding fake data.

Now you’re playing with captive portals

The activity picked up by X-Force IRIS researchers shows Magecart 5 going in a whole new direction for JavaScript injection attacks. The type of routers that the group is focusing on­—a specific type of router commonly used to provide free or paid Wi-Fi Internet access at airports, hotels, resorts, and even in some retail environments—use captive portals to process payments for access, agree to terms of service, and often to display advertisements.

These routers can also control the content delivered to users—with content filtering, the loading of interstitial pages before loading the intended site, and other potentially dangerous bits of manipulation (such as “traffic shaping“). If this type of router were to be compromised, malicious code could be used to steal users’ payment data during e-commerce sessions through redirection of traffic to lookalike servers, and malicious advertisements could be injected into webpages to attack connected devices.

The researchers also found evidence that the group was making modifications to an open source mobile application library used to create touch “sliders” to allow users to swipe through galleries. “[Magecart 5] has likely infected this code, corrupting it at its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of user data of those using the finished product.” That matches with Magecart 5’s modus operandi of compromising third-party resources to get a broader effect, the researchers noted.

Similar Posts: