Web-skimming malware makers appear to be testing attacks against layer 7 routers.
Threat researchers at IBM X-Force IRIS have spottedactivity by a known group of criminal web malware operatorsthat appears to be targeting commercial layer 7 routers — the type typically associated with Wi-Fi networks that use “captive portals” to either require customer sign-in or charge for Internet access.
Now you’re playing with captive portals
These routers can also control the content delivered to users — with content filtering, the loading of interstitial pages before loading the intended site , and other potentially dangerous bits of manipulation (such as “traffic shaping“). If this type of router were to be compromised, malicious code could be used to steal users’ payment data during e-commerce sessions through redirection of traffic to lookalike servers, and malicious advertisements could be injected into web pages to attack connected devices.
The researchers also found evidence that the group was making modifications to an open source mobile application library used to create touch “sliders” to allow users to swipe through galleries. “[Magecart 5] has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of user data of those using the finished product. ” That matches with Magecart 5’smodus operandiof compromising third-party resources to get a broader effect, the researchers noted.