Magecart skimmers seen targeting routers for customer Wi-Fi networks
Enlarge / That captive portal may be more captive than you know. (credit: John Moore / Getty Images)
Threat researchers at IBM X-Force IRIS have spotted activity by a known group of criminal web malware operators that appears to be targeting commercial layer 7 routers—the type typically associated with Wi-Fi networks that use "captive portals" to either require customer sign-in or charge for Internet access.
The group, called "Magecart 5," is one of several factions of criminal groups originally associated with the Magecart "web-skimmer", a class of JavaScript-based payment card stealing malware that has been used in the past to target customers on e-commerce websites. Ticketmaster, British Airways, and NewEgg customers were just some of the victims in a rash of exploits by Magecart rings in 2018, and the malware operators have continued to be active in 2019. According to researchers, hundreds of thousands of merchant sites have been compromised through attacks on third-party services.
In the past, Magecart attacks have focused on exploiting web infrastructure components of victims' e-commerce sites. In the case of British Airways and NewEgg, a web server was compromised, and the attackers added 22 new lines of code to an existing JavaScript library. The code redirected some traffic to a lookalike domain name used to capture payment data. In TicketMaster's case, it was a third-party service provider's server that was compromised. And in one attack on Umbro Brazil, two different Magecart gangs hit the site—with one sabotaging the other's skimming operations by feeding fake data.
Comments
Post a Comment