IBM experts found evidence that attackers create special scripts to host Layer 7 routers and then steal bank cards. Now MageCart attacks not only sites, but also routers.
Until recently, MageCart attacks (or so-called web skimming) only affected sites in which the attackers injected malicious JavaScript or PHP code and stole payment data. Now, hackers have switched to compromising network equipment.Layer 7 (L7) routers are commercial, powerful network devices that are usually installed in crowded places, such as hotels, shopping centers, airports, public places, and so on. Such routers work like regular routers, but they can manipulate traffic at the seventh level (Layer 7, application level), according to the OSI network model.
“Attackers compromise L7 routers in order to then use their powerful traffic management capabilities to inject these malicious scripts into active sessions in user browsers. Moreover, the discovered scripts were specially designed to steal payment card data from online stores and transfer stolen information to a remote server”, – IBM specialists write.
Read also: Information stealer for macOS Stockfoli masks itself as a trading program
It was possible to detect the scripts due to the fact that in April of this year they were uploaded to VirusTotal (obviously, the attackers did it themselves to check if the security solutions detect malicious code). In total, the researchers found 17 such scripts.
The domains and other indicators in the code found in the code indicate that these 17 files are associated with a hacker group known as MageCart 5. According to information security experts, this group hackers only third-party service providers. And this particular group has already shown creativity and used the CDN (content delivery network, “content delivery network”) and advertising to inject its malicious code into sites.
RiskIQ experts, who have long been observing MageCart groups, believe that MageCart 5 is one of the most professional and serious groups of all. Let me remind you that in 2018, RiskIQ researchers identified 12 such groups, while according to IBM, now there are already 38 of them.
IBM analysts write that it is not yet clear whether MageCart 5 managed to use its scripts to attack real routers, but there is such a possibility.
Mitigation Tips
Here are some tips from our team for those looking to mitigate the risk of Magecart attacks:
- Avoid insecure third-party code (i.e. Adminer versions released earlier than v4.7.0)
- Use extension blacklists
- Implement code/file integrity checks, especially for any JavaScript files loaded from external third-party providers
- Use strong Content Security Policies (CSP)
- Work on the top most prominent web application issues that attackers prey on
- Like other card compromises –look out for Common Point of Compromiseand investigate to revoke and re-issue cards as needed
- Use the controls you would use for CNP fraud
- Educate users about card security and about reviewing their statementsregularly to report potential fraud.