A faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotels. If successful, attackers would able to compromise these commercial-grade routers and be able to siphon payment data of users joining Wi-Fi networks at airports, coffee shops, hotels and other public facilities.
Researchers said they have found evidence that Magecart Group 5 (MG5) – one of several groups operating under the Magecart umbrella – is preparing the code to be injected into benign JavaScript files. From there, those files would be loaded into commercial-grade routers that support the layer 7 (L7) protocol. It is those type routers, with L7 support, which are typically used in free or fee Wi-Fi settings.
“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data,” said researchers with IBM’s X-Force security team
in a Wednesday post. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”
It’s important to note that researchers have not discovered any actual vendor compromise in the wild. “What we are seeing are MG5 attack tactics, techniques and procedures targeting resources produced by said vendors,” they said. “An actual attack would require further steps on MG5’s part.” Threatpost has reached out to researchers regarding which of the specific “resources” mentioned were targeted.
threatpost.com
