Cybercriminals appear to be working on a new way to steal payment card data. According to IBM security researchers, a group of hackers is currently developing malicious scripts to use against commercial-grade Layer 7 (L7) routers.
First of all, let’s see what exactly a Layer 7 router is. It is a type of commercial, heavy-duty router typical for large networks, government ones included. The difference to any other router is that a Layer 7 device is capable of manipulating traffic at the application level, also known as 7th level, of the OSI networking model. In other words, the router can respond to traffic not only according to the IP address but also cookies, domain names, browser types, etc.
So, what did IBM researchers uncover in their analysis?
How would an attack against L7 routers happen?
These attacks are based on the idea that attackers would leverage L7 routers and abuse their traffic manipulation features to inject malicious scrips in the active browser sessions of users. In fact, IBM says that the Magecart group recently injected malicious code into an open source mobile slider module:
Moreover, the scrips the researchers got hold of appeared to be specifically created to extract payment card details from online stores, and upload harvested information to a remote web server. It is curious to note that the scripts were uncovered because the attackers uploaded the files on VirusTotal, which was perhaps done for testing reasons to see whether the code would be detected by antivirus engines.
IBM discovered 17 such scripts, and grouped them in 5 sections according to their purpose.
Researchers Looked into YARA Rules
The researchers looked into YARA rules (a tool that enables a rule-based approach to create descriptions of malware families based on textual or binary patterns) and IOC (indicator of compromise) associated with the Magecart group 5 activity. A VirusTotal alert from one of the analyzed Yara rules initially identified two un-obfuscated file samples that were very similar to samples shared in previous analyses of Magecart activity.
What can users do to prevent these attacks?
Unfortunately, there’s not much a user can do to circumvent an attack at the router level. The only certain thing is to avoid shopping from suspicious online stores or public networks, like the ones in hotels, malls, and airports. Nonetheless, shopping from home also poses risks.
There’s still hope, as security researchers have been recommending something called a virtual card. This approach means that the user gets a one-payment card number used for one transaction only.
What is a virtual card? It is a prepaid credit card, which enables shopping freely online. The virtual card only features a number and doesn’t have a physical carrier. With this card users can rely on the security and protection of their online payments.
This means that even if the card number is used on a dangerous website, the card number is useless once the transaction is completed. The disadvantage of the virtual card is that it is still not widely available to users worldwide, and it may not be easy to get one.
The change in tactics of Magecart hackers in their skimming operations is not that surprising, as attacks at router level are not unseen. Insecure routers have been targeted in many attacks, such as phishing, cryptomining, and malware downloads.
In short, router security should not be overlooked. For keeping the router safe, you should check whether the router has a key or not. If you have not setup any key for the router, then you can do it by using the screen of the wireless security setup which is present in the router. There are other tips for router security that you should consider applying.