Connect with us

Hi, what are you looking for?



Magecart Hackers Target L7 Routers

One of the financially motivated threat actors operating under the Magecart umbrella appears to be testing malicious code to inject into commercial-grade layer 7 (L7) routers, IBM reports.

One of the financially motivated threat actors operating under the Magecart umbrella appears to be testing malicious code to inject into commercial-grade layer 7 (L7) routers, IBM reports.

These devices are used by hotels, resorts, airports, and in other public locations. According to IBM, Magecart Group 5 (MG5) is attempting to load code into the JavaScript files loaded by these routers in an attempt to target users shopping on U.S. and Chinese websites.

The threat group is apparently capable of injecting credit card data scraping code into a popular open-source JavaScript library that websites leverage to ensure wide compatibility with mobile browsing.

“By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online,” IBM says.

The hackers are believed to have prepared code for injection into a specific type of commercial-class layer 7 router that can deliver commercial Wi-Fi connectivity to numerous users. No vendor compromise has been observed so far, the security researchers note.

These routers allow operators to control the content delivered to all of the users who connect to them. From an information security perspective, however, these devices pose a variety of risks, such as content filtering, redirection to interstitial pages, payload rewriting and traffic shaping, among others, IBM says.

By compromising the web resources an L7 router loads, an attacker could potentially leverage the device maliciously against the users connecting to it.

Advertisement. Scroll to continue reading.

The issue, IBM’s researchers explain, is that Wi-Fi is usually offered for free in certain locations, such as hotels, although there’s usually a “slim information technology team to manage the infrastructure on site.”

This often leads to situations where patching isn’t performed in due time, a situation often worsened by the fact that hotels agree to allow midstream ads to run before guests connect for a discounted price to the Wi-Fi.

The presence of ads, JavaScript injections, and numerous connected users is the perfect recipe for attacks such as those performed by Magecart, which aim to compromise payment data.

Not only can payment data be stolen when guests browse the web when connected to a compromised router, but that also allows for the injection of malicious ads into the traffic of all users, regardless of whether they pay for Wi-Fi or not.

IBM also believes that the Magecart group has infected open-source mobile app code that’s offered to app developers for free, and which provides a library-agnostic touch slider so that developers can build touch galleries for their applications.

“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of data belonging to those using the finished product,” IBM notes.

Related: Magecart Hackers Target Mobile Users of Hotel Websites

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.