Magecart web skimming group targets public hotspots and mobile users

One of the web skimming groups that operate under the Magecart umbrella has been testing the injection of payment card stealing code into websites through commercial routers like those used in hotels and airports. The group has also targeted an open-source JavaScript library called Swiper that is used by mobile websites and apps.

Security researchers from IBM’s X-Force Incident Response and Intelligence Services team have found what appear to be test skimming scripts developed earlier this year by one of the most prolific of the dozen or so groups tracked by the security industry as Magecart. These groups have compromised thousands of websites to date and have injected malicious code designed to steal payment details into their checkout pages.

Some of the Magecart victims have included high-profile brands such as British Airways, TicketMaster and Newegg. The groups are known for using a variety of techniques to both infect websites and to hide their malicious code injected into pages, including the compromise of legitimate third-party services that already have Magecart scripts loaded into websites.

The X-Force investigation started with a couple of scripts found on VirusTotal, an online file and URL scanning service and aggregator of malware intelligence from vendors and user submissions. The scripts showed strong similarities to malicious code associated in the past with a group tracked as Magecart Group 5 (MG5).

Based on those initial files, the researchers tracked down a total of 17 scripts uploaded since April by the same user from Russia. Many of the scripts are similar but have modifications designed to bypass antivirus detection, suggesting their creator was using VirtusTotal to test the effectiveness of his changes.

Advertisement injection through Wi-Fi

One of the skimmer scripts, called test4.html, references and is based on a script called advnads20.js that was associated in 2012 with rogue advertisement injection through Wi-Fi hotspots in hotels. The script contains code to interact with a commercial grade Layer 7 router.

“Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data,” the X-Force team said in its report. “We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet.”

The malicious script is designed to collect information from all web forms, not just checkout pages. That’s because the compromise of Wi-Fi routers allows attackers to steal data when users are initially prompted to register and pay for using the internet, but also later, by automatically injecting skimming scripts into all websites accessed by users through those devices. Unlike Magecart attacks that are tailored for one website or brand, this is a catch-all type of compromise.

Supply chain attack a possible intent

Another identified file, called test3.html, is an injector script designed to load resources from external URLs into a compromised web page. One of the URLs it references points to a legitimate JavaScript library called Swiper, suggesting the intention to launch a supply chain attack through this script.

Swiper is a popular open-source library that can make websites designed for desktop-based access compatible with browsing from mobile devices. It can also be integrated into native and web-based mobile apps. Based on statistics, it’s used by over 280,000 websites, most of them from the US and China.

The targeting of third-party scripts that are loaded into legitimate websites is consistent with MG5’s modus operandi observed so far. For example, TicketMaster, one of MG5’s high-profile victims, was compromised through SociaPlus, a web analytics service. The group also compromised SAS Net Reviews, a verified reviews service used by e-commerce sites.

“This scenario involving the technology supply chain, infecting Swiper in this case, is consistent with MG5’s historical methods of targeting third-party platforms that would give the group a broad reach into numerous victims with a single compromise,” the X-Force researchers said.

The X-Force team’s advice for website owners is to avoid third-party code with known vulnerabilities, to use extension blacklists and to implement code and file integrity checks, especially for externally loaded JavaScript files. To protect their users from man-in-the-middle injections, like those performed through compromised routers, site operators can deploy strong content security policies (CSP) to prevent browsers from loading rogue resources.