Layer 7 (L7) routers are commercial, powerful network devices that are usually installed in crowded places, such as hotels, shopping centers, airports, public places, and so on. Such routers work like regular routers, but they can manipulate traffic at the seventh level (Layer 7, application level), according to the OSI network model.
“Attackers compromise L7 routers in order to then use their powerful traffic management capabilities to inject these malicious scripts into active sessions in user browsers. Moreover, the discovered scripts were specially designed to steal payment card data from online stores and transfer stolen information to a remote server”, – IBM specialists write.
It was possible to detect the scripts due to the fact that in April of this year they were uploaded to VirusTotal (obviously, the attackers did it themselves to check if the security solutions detect malicious code). In total, the researchers found 17 such scripts.
The domains and other indicators in the code found in the code indicate that these 17 files are associated with a hacker group known as MageCart 5. According to information security experts, this group hackers only third-party service providers. And this particular group has already shown creativity and used the CDN (content delivery network, “content delivery network”) and advertising to inject its malicious code into sites.
RiskIQ experts, who have long been observing MageCart groups, believe that MageCart 5 is one of the most professional and serious groups of all. Let me remind you that in 2018, RiskIQ researchers identified 12 such groups, while according to IBM, now there are already 38 of them.
IBM analysts write that it is not yet clear whether MageCart 5 managed to use its scripts to attack real routers, but there is such a possibility.
Here are some tips from our team for those looking to mitigate the risk of Magecart attacks:
- Avoid insecure third-party code (i.e. Adminer versions released earlier than v4.7.0)
- Use extension blacklists
- Use strong Content Security Policies (CSP)
- Work on the top most prominent web application issues that attackers prey on
- Like other card compromises –look out for Common Point of Compromiseand investigate to revoke and re-issue cards as needed
- Use the controls you would use for CNP fraud
- Educate users about card security and about reviewing their statementsregularly to report potential fraud.