Magecart Group 5 is Testing Malicious Code on L7 routers, Research Finds

• All users who are connected to a hotel or airport’s free or paid WiFi are potentially impacted by this malicious attack.
• Additionally, those users' payment data could be compromised when they browse through an infected L7 router.

What’s the matter?

New research conducted by IBM X-Force Incident Response and Intelligence Services (IRIS) reveals that Magecart Group 5 is testing malicious code on L7 routers.

Why it matters?

L7 routers are used by airports, casinos, hotels, and resorts among others and these malicious attacks are targeted against shoppers on the US and Chinese sites. To be precise, L7 routers are used for providing commercial Wi-Fi connectivity to users connecting to a hotel or free airport Wi-Fi.

“Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data. We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” researchers said.

What could be the impact?

Researchers noted that Magecart Group 5 has constructed an attack scenario in which it could inject its malicious code into a popular open-source JavaScript library that is designed to enable websites compatible with mobile browsing.

• By infecting that code, Magecart attackers can potentially infect and steal the data of mobile device users who install malicious apps to shop online.

MG5 infects L7 router libraries with malicious code in order to inject malicious ads onto webpages viewed by all connect guest devices.

• By infecting L7 router libraries, all users who are connected to a hotel or airport’s free or paid WiFi are potentially impacted by the malicious ads.
• Additionally, those users' payment data could be compromised when they browse through an infected L7 router.

Researchers also found that MG5 has infected the open-source mobile app code that’s offered to app developers for free. This mobile app code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects.

• By infecting this code, every developer using the touch slider will end up serving the attackers’ malicious code in their developed app.
• This could result in the compromise of data belonging to those using the app.

Researchers’ recommendations

• Researchers recommend e-commerce retailers to avoid using insecure third-party code and implement extension blacklists.
• E-commerce retailers are advised to implement code/file integrity checks for all JavaScript files that are loaded from external third-party providers.
• Researchers have suggested banks to educate merchants about Magecart Groups and payment card security.
• It is recommended to adopt a zero trust model with JavaScript/JScript to block access to sensitive data in web forms.