Hackers Invade Routers To Steal Payment Card Details

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade "Layer 7" routers to steal payment card details.This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details.

Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files and this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

Layer 7, or L7, routers are a type of commercial, heavy-duty router that's usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others. They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model, meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more.

In a recent IBM Report researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.

The idea is that hackers would compromise L7 routers and then use their powerful traffic manipulation features to inject these malicious scripts in users' active browsers sessions. IRIS researchers said the scripts they found were specifically designed to extract payment card data from online shops, and upload the stolen information to a remote web server. They said they found these scripts after the hackers uploaded the files on VirusTotal, a web-based antivirus aggregator. The hackers appear to have been testing if their code would be detected by the antivirus engines part of the VirusTotal aggregator.

IRIS researchers found 17 scripts, which they organised in five groups, based on their purpose. They found that domains and other indicators in the code linked the 17 files to a known hacker group known as Magecart #5. This is a known threat actor that has engaged in hacking IT companies and planting card-stealing code in their products. They also used CDNs (content delivery networks) and ads to deliver the malicious code.

These types of attacks are called web skimming, or Magecart attacks, and have been going on for at least three years, but they became a popular trend in the past year.

What’s known as “Magecart” today started as the name of web-based skimming malware. The term Magecart has since evolved into the name of a modus operandi used by at least twelve different cybercrime factions that target ecommerce sites by compromising their carts, checkout pages, or web logic, depending on the group and its campaign tactics. 

Magecart attacks evolving towards injections of malicious code at the router level aren't actually a surprise for most security experts. Insecure routers have been hacked in the past decade before, usually to redirect users to phishing links, malicious downloads, to inject crypto-jacking scripts, or to inject ads for criminals' profits. 

It was only a matter of time until Magecart groups realised they could do the same, but insert card-stealing code instead of what previous groups have used in the past.

IBM:              ZDNet

You Might Also Read:

Old Magecart Domains Come Back To Life:

IBM X Force Dissect The Destructive Power Of Malware:

 

« The Strange Case Of The The Missing Crypto-Queen
A Cyber Compliance Economy »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Virtustream

Virtustream

The Virtustream Enterprise Class Cloud provides a secure, highly available, Infrastructure as a Service (IaaS) to enterprises and government customers.

Arthur J Gallagher & Co

Arthur J Gallagher & Co

Arthur J. Gallagher & Co. is a global insurance brokerage and risk management services firm. Services include Cyber Liability insurance.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Xilinx

Xilinx

Xilinx is the inventor of the FPGA, programmable SoCs, and now, the ACAP. We are building the Adaptable, Intelligent World.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

C5 Capital

C5 Capital

C5 Capital is a specialist investment firm that exclusively invests in the secure data ecosystem including cybersecurity, cloud infrastructure, data analytics and space.

Envieta

Envieta

Envieta is a leader in cryptographic solutions. From server to sensor, we design and implement powerful security into new or existing infrastructure.

OSIbeyond

OSIbeyond

OSIbeyond provides comprehensive Managed IT Services to organizations in the Washington D.C., MD, and VA area including IT Help Desk Support, Cloud Solutions, Cybersecurity, and Technology Strategy.

PhishProtection

PhishProtection

We created Phish Protection to prevent all types of phishing including spear phishing protection and office 365 email protection for your small business.

ViewDS Identity Solutions

ViewDS Identity Solutions

ViewDS Identity Solutions develops innovative identity software including cloud identity management solutions, directory services, access and authorization management solutions.

Quod Orbis

Quod Orbis

Quod Orbis are a fast-growing, innovative company providing market-leading expertise in cyber security and Continuous Controls Monitoring (CCM).

FTx Identity

FTx Identity

FTx Identity is the world's most advanced age verification technology (AVT) and identity management system.

Highen Fintech

Highen Fintech

Highen is a blockchain software development company with offices in the United States and development centers in India.

Veza Technologies

Veza Technologies

Veza is the authorization platform for data. Built for hybrid, multi-cloud environments, Veza enables organizations to manage and control who can and should take what action on what data.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.

Velotix

Velotix

Velotix empowers organizations to maximize the value of their data while ensuring security and compliance in a rapidly evolving regulatory landscape.