Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade "Layer 7" routers to steal payment card details.

This discovery is a game-changer in what researchers call Magecart attacks, also known as web skimming. These are attacks where hackers plant malicious code on an online store that records and steals payment card details.

Until now, Magecart-specific code was only delivered at the website level, hidden inside JavaScript or PHP files. However, this new discovery is an escalation of Magecart attacks to a new level, where the malicious code is injected at the router level, rather than being added by hackers on outdated websites.

What are L7 routers

Layer 7, or L7, routers are a type of commercial, heavy-duty router that's usually installed on large networks, such as hotels, malls, airports, casinos, government networks, public spaces, and others.

They work like any other router, except with the added benefit of being able to manipulate traffic at the seventh layer (application level) of the OSI networking model -- meaning they can react to traffic based on more than just IP addresses, such as cookies, domain names, browser types, and more.

In a report published today, researchers with the IBM X-Force Incident Response and Intelligence Services (IRIS) team said they found evidence that a well-known hacker group has been testing Magecart scripts to deploy on L7 routers.

The idea is that hackers would compromise L7 routers and then use their powerful traffic manipulation features to inject these malicious scripts in users' active browsers sessions.

IBM IRIS researchers said the scripts they found were specifically designed to extract payment card data from non-HTTPS online shops, and upload the stolen information to a remote web server.

Researchers said they found these scripts after the hackers uploaded the files on VirusTotal, a web-based antivirus aggregator. The hackers appear to have been testing if their code would be detected by the antivirus engines part of the VirusTotal aggregator.

In total, IBM IRIS researchers found 17 scripts, which they organized in five groups, based on their purpose.

Image: IBM IRIS

Well-known hacking group behind the "router file tests"

Researchers said that domains and other indicators in the code linked the 17 files to a known hacker group known as Magecart #5.

This is a known threat actor that has engaged in hacking IT companies and planting card-stealing code in their products. They also used CDNs (content delivery networks) and ads to deliver the malicious code.

These types of attacks are called web skimming, or Magecart attacks, and have been going on for at least three years, but they became a popular trend in the past year. A RiskIQ report published last year delved deeper into Magecart attacks.

Yonathan Klijnsma, Head of Threat Research at RiskIQ, said that Magecart group #5 is one of the most sophisticated of all the Magecart groups his company has tracked.

In its 2018 report, RiskIQ identified 12 Magecart groups, but IBM said it's now tracking 38 such entities.

Unclear if the "test files" are now used in the real world

IBM IRIS researchers said the Magecart group #5 test scripts they found were uploaded on VirusTotal between April 11 and April 14.

It is unclear if hackers deployed the scripts on real-world routers, but the chances are that they did.

IBM IRIS noted that, historically, the Magecart #5 group has been active in stealing payment card data entered in the checkout forms of selected US and Chinese online stores. These may also be the stores they'll target if they deploy their malicious scripts on routers.

From a user perspective, there's not that much that victims can do to prevent from a Magecart attack executed at the router level, except avoid shopping online on HTTP sites and from untrusted or public networks, such as those in hotels, airports, or malls.

However, when shopping from home, users are still exposed to Magecart attacks that rely on inserting malicious code at the website level.

But there may be one solution. In recent months, responding to the rise in Magecart (web skimming) attacks, security researchers have begun recommending using a "virtual card" service, where users get a one-time payment card number they can use for one transaction only.

Even if the card number is used on a compromised site, once the transaction is completed, the card number becomes useless for hackers afterward. The downside is that "virtual card" services aren't always available in all countries around the globe, and not all users will be able to get one.

Magecart attacks evolving towards injections of malicious code at the router level aren't actually a surprise for most security experts. Insecure routers have been hacked in the past decade before, usually to redirect users to phishing links, malicious downloads, to inject cryptojacking scripts, or to inject ads for criminals' profits. It was only a matter of time until Magecart groups realized they could do the same, but insert card-stealing code instead of what previous groups have used in the past.