Hackers looking into injecting card stealing code on routers, rather then websites

server rack vpn router switch

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade “Layer 7” routers to steal payment card details.

This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details.

Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files. However, this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

What are L7 routers

Layer 7, or L7, routers are a type of commercial, heavy-duty router that’s usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others.

They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model — meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more.

In a report published today, researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.

The idea is that hackers would compromise L7 routers and then use their powerful traffic manipulation features to inject these malicious scripts in users’ active browsers sessions.

IBM IRIS researchers said the scripts they found were specifically designed to extract payment card data from online shops, and upload the stolen information to a remote web server.

Researchers said they found these scripts after the hackers uploaded the files on VirusTotal, a web-based antivirus aggregator. The hackers appear to have been testing if their code would be detected by the antivirus engines part of the VirusTotal aggregator.

In total, IBM IRIS researchers found 17 scripts, which they organized in five groups, based on their purpose.




Well-known hacking group behind the “router file tests”

Researchers said that domains and other indicators in the code linked the 17 files to a known hacker group known as Magecart #5.

This is a known threat actor that has engaged in hacking IT companies and planting card-stealing code in their products. They also used CDNs (content delivery networks) and ads to deliver the malicious code.

These types of attacks are called web skimming, or Magecart attacks, and have been going on for at least three years, but they became a popular trend in the past year. A RiskIQ report published last year delved deeper into Magecart attacks.

Yonathan Klijnsma, Head of Threat Research at RiskIQ, said that Magecart group #5 is one of the most sophisticated of all the Magecart groups his company has tracked.

In its 2018 report, RiskIQ identified 12 Magecart groups, but IBM said it’s now tracking 38 such entities.

Unclear if the “test files” are now used in the real world

IBM IRIS researchers said the Magecart group #5 test scripts they found were uploaded on VirusTotal between April 11 and April 14.

It is unclear if hackers deployed the scripts on real-world routers, but the chances are that they did.

IBM IRIS noted that, historically, the Magecart #5 group has been active in stealing payment card data entered in the checkout forms of selected US and Chinese online stores. These may also be the stores they’ll target if they deploy their malicious scripts on routers.

From a user perspective, there’s not that much that victims can do to prevent from a Magecart attack executed at the router level, except avoid shopping online from untrusted or public networks, such as those in hotels, airports, or malls.

However, when shopping from home, users are still exposed to Magecart attacks that rely on inserting malicious code at the website level.

But there may be one solution. In recent months, responding to the rise in Magecart (web skimming) attacks, security researchers have begun recommending using a “virtual card” service, where users get a one-time payment card number they can use for one transaction only.

Even if the card number is used on a compromised site, once the transaction is completed, the card number becomes useless for hackers afterward. The downside is that “virtual card” services aren’t always available in all countries around the globe, and not all users will be able to get one.

Magecart attacks evolving towards injections of malicious code at the router level aren’t actually a surprise for most security experts. Insecure routers have been hacked in the past decade before, usually to redirect users to phishing links, malicious downloads, to inject cryptojacking scripts, or to inject ads for criminals’ profits. It was only a matter of time until Magecart groups realized they could do the same, but insert card-stealing code instead of what previous groups have used in the past.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin29,282 0.19 % 3.96 % 2.14 %
Ethereum1,965.4 0.14 % 5.06 % 2.99 %
Tether1.000 0.02 % 0.15 % 0.09 %
BNB321.14 0.69 % 2.39 % 7.70 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
XRP0.4068 0.31 % 3.94 % 3.96 %
Binance USD1.002 0.28 % 0.09 % 0.01 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana49.09 0.16 % 8.56 % 8.50 %
Dogecoin0.08290 0.73 % 5.47 % 5.79 %

Bitcoin (BTC) $ 29,253.00
Ethereum (ETH) $ 1,964.99
Tether (USDT) $ 1.00
BNB (BNB) $ 323.40
USD Coin (USDC) $ 1.00
XRP (XRP) $ 0.40686
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.513904
Solana (SOL) $ 49.16
Dogecoin (DOGE) $ 0.083653