A prominent Magecart cybercriminal group appears to be testing card-skimming code capable of compromising commercial-grade layer 7 (L7) routers used by airports, casinos, hotels and resorts, researchers are reporting.

The threat actor, deemed Magecart Group 5 or MG5, has seemingly also experimented with injecting code into a popular open-source mobile app code. Such an attack could then allow the attackers to then steal payment card data from mobile users who installed apps that leverage this malicious code, according to IBM's X-Force Incident Response and Intelligence Services (IRIS) team in company blog post today.

L7 routers are often used by high-trafficked facilities like airports and hotels because they have the capacity to provide Wi-Fi to larger numbers of people at once, they provide "captive portal" capabilities (routing unauthenticated clients to server where they can authenticate), and allow hosts to control and filter the content delivered to all users. But these same features can also be used maliciously if attackers compromise the router, warns. For instance, adversaries could stolen guest payment data or even deliver malicious ads.

"Having access to a large number of captive users with very high turnover – such as in the case of airports and hotels – is a lucrative concept for attackers looking to compromise payment data," wrote IBM blog post co-authors Christopher Kiefer, threat hunt and discovery analyst, and Limon Kessen, executive security advisor. "We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet."

IBM identified the open-source mobile app code that's also under threat by MG5 as "Swiper," noting that it "provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects."

IBM said MG5 likely has already corrupted the code "at its source" so every app that uses the slider will serve up card-skimming code to its users. This scenario fits in with MG5's usual m.o., which is to compromise third-party software used by multiple e-commerce sites, the post states.