Magecart Group Plans to Inject Skimmers at the Router Level

Delaware, USA – September 30, 2019 – One of the most sophisticated Magecart groups is exploring new ways to steal payment card data. IBM X-Force team discovered Magecart scripts which can be deployed on Level 7 routers that are capable of manipulating traffic at the application level. It is not known whether scripts were used in the wild. Researchers suggest that the attackers uploaded them to VirusTotal back in April to ascertain that antivirus engines do not identify them as malicious. A total of 17 different scripts were discovered that steal banking card data and transmit it to the attackers’ server. The compromise of Level 7 router, which can often be found in large networks, allows attackers to inject scripts on victim’s browser sessions directly. IBM researchers claim the scripts are designed to extract payment card data entered on the US and Chinese major online stores.

Behind this attack is the so-called Magecart Group 5 which injected malicious code into the Shopper Approved plug-in used by hundreds of e-commerce sites and attacked Ticketmaster in July of the last year. This group is considered one of the most dangerous among the Magecart groups involved in compromising sites and implementing skimmers. It also follows from the report that researchers already track down the activity of 38 groups, although there were only 12 a year ago. Most groups compromise sites by exploiting known vulnerabilities or brute-forcing admin credentials to inject skimming scripts and install backdoors. You can use Web Application Security Framework to detect breach attempts and web resources misuse: https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight