Threat researchers at IBM X-Force IRIS have spotted activity by a known group of criminal web malware operators that appears to be targeting commercial layer 7 routers—the type typically associated with Wi-Fi networks that use “captive portals” to either require customer sign-in or charge for Internet access.
Ticketmaster, British Airways, and NewEgg customers were just some of the victims in a rash of exploits by Magecart rings in 2018, and the malware operators have continued to be active in 2019. According to researchers, hundreds of thousands of merchant sites have been compromised through attacks on third-party services.
Now you’re playing with captive portals
These routers can also control the content delivered to users—with content filtering, the loading of interstitial pages before loading the intended site, and other potentially dangerous bits of manipulation (such as “traffic shaping“).If this type of router were to be compromised, malicious code could be used to steal users’ payment data during e-commerce sessions through redirection of traffic to lookalike servers, and malicious advertisements could be injected into web pages to attack connected devices.
The researchers also found evidence that the group was making modifications to an open source mobile application library used to create touch “sliders” to allow users to swipe through galleries. “[Magecart 5] has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of user data of those using the finished product.” That matches with Magecart 5’s of compromising third-party resources to get a broader effect, the researchers noted.