One of the financially motivated threat actors operating under the Magecart umbrella appears to be testing malicious code to inject into commercial-grade layer 7 (L7) routers, IBM reports.
“By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online,” IBM says.
The hackers are believed to have prepared code for injection into a specific type of commercial-class layer 7 router that can deliver commercial Wi-Fi connectivity to numerous users. No vendor compromise has been observed so far, the security researchers note.
These routers allow operators to control the content delivered to all of the users who connect to them. From an information security perspective, however, these devices pose a variety of risks, such as content filtering, redirection to interstitial pages, payload rewriting and traffic shaping, among others, IBM says.
By compromising the web resources an L7 router loads, an attacker could potentially leverage the device maliciously against the users connecting to it.
The issue, IBM’s researchers explain, is that Wi-Fi is usually offered for free in certain locations, such as hotels, although there’s usually a “slim information technology team to manage the infrastructure on site.”
This often leads to situations where patching isn’t performed in due time, a situation often worsened by the fact that hotels agree to allow midstream ads to run before guests connect for a discounted price to the Wi-Fi.
Not only can payment data be stolen when guests browse the web when connected to a compromised router, but that also allows for the injection of malicious ads into the traffic of all users, regardless of whether they pay for Wi-Fi or not.
IBM also believes that the Magecart group has infected open-source mobile app code that’s offered to app developers for free, and which provides a library-agnostic touch slider so that developers can build touch galleries for their applications.
“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of data belonging to those using the finished product,” IBM notes.
Related: Magecart Hackers Target Mobile Users of Hotel Websites
Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets