Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Magecart card-skimming group targets L7 routers used by high-traffic locales

A prominent Magecart cybercriminal group appears to be testing card-skimming code capable of compromising commercial-grade layer 7 (L7) routers used by airports, casinos, hotels and resorts, researchers are reporting.

The threat actor, deemed Magecart Group 5 or MG5, has seemingly also experimented with injecting code into a popular open-source mobile app code. Such an attack could then allow the attackers to then steal payment card data from mobile users who installed apps that leverage this malicious code, according to IBM's X-Force Incident Response and Intelligence Services (IRIS) team in company blog post today.

L7 routers are often used by high-trafficked facilities like airports and hotels because they have the capacity to provide Wi-Fi to larger numbers of people at once, they provide "captive portal" capabilities (routing unauthenticated clients to server where they can authenticate), and allow hosts to control and filter the content delivered to all users. But these same features can also be used maliciously if attackers compromise the router, warns. For instance, adversaries could stolen guest payment data or even deliver malicious ads.

"Having access to a large number of captive users with very high turnover – such as in the case of airports and hotels – is a lucrative concept for attackers looking to compromise payment data," wrote IBM blog post co-authors Christopher Kiefer, threat hunt and discovery analyst, and Limon Kessen, executive security advisor. "We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet."

IBM identified the open-source mobile app code that's also under threat by MG5 as "Swiper," noting that it "provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects."

IBM said MG5 likely has already corrupted the code "at its source" so every app that uses the slider will serve up card-skimming code to its users. This scenario fits in with MG5's usual m.o., which is to compromise third-party software used by multiple e-commerce sites, the post states.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.