MageCart now attacks routers, not sites

IBM experts found evidence that attackers create special scripts to host Layer 7 routers and then steal bank cards. Now MageCart attacks not only sites, but also routers.

Until recently, MageCart attacks (or so-called web skimming) only affected sites in which the attackers injected malicious JavaScript or PHP code and stole payment data. Now, hackers have switched to compromising network equipment.

Layer 7 (L7) routers are commercial, powerful network devices that are usually installed in crowded places, such as hotels, shopping centers, airports, public places, and so on. Such routers work like regular routers, but they can manipulate traffic at the seventh level (Layer 7, application level), according to the OSI network model.

“Attackers compromise L7 routers in order to then use their powerful traffic management capabilities to inject these malicious scripts into active sessions in user browsers. Moreover, the discovered scripts were specially designed to steal payment card data from online stores and transfer stolen information to a remote server”, – IBM specialists write.

Read also: Information stealer for macOS Stockfoli masks itself as a trading program

It was possible to detect the scripts due to the fact that in April of this year they were uploaded to VirusTotal (obviously, the attackers did it themselves to check if the security solutions detect malicious code). In total, the researchers found 17 such scripts.

The domains and other indicators in the code found in the code indicate that these 17 files are associated with a hacker group known as MageCart 5. According to information security experts, this group hackers only third-party service providers. And this particular group has already shown creativity and used the CDN (content delivery network, “content delivery network”) and advertising to inject its malicious code into sites.

RiskIQ experts, who have long been observing MageCart groups, believe that MageCart 5 is one of the most professional and serious groups of all. Let me remind you that in 2018, RiskIQ researchers identified 12 such groups, while according to IBM, now there are already 38 of them.

IBM analysts write that it is not yet clear whether MageCart 5 managed to use its scripts to attack real routers, but there is such a possibility.

Mitigation Tips

Here are some tips from our team for those looking to mitigate the risk of Magecart attacks:

  1. Avoid insecure third-party code (i.e. Adminer versions released earlier than v4.7.0)
  2. Use extension blacklists
  3. Implement code/file integrity checks, especially for any JavaScript files loaded from external third-party providers
  4. Use strong Content Security Policies (CSP)
  5. Work on the top most prominent web application issues that attackers prey on
  6. Like other card compromises –look out for Common Point of Compromiseand investigate to revoke and re-issue cards as needed
  7. Use the controls you would use for CNP fraud
  8. Educate users about card security and about reviewing their statementsregularly to report potential fraud.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button