Magecart skimmers are targeting routers for customer Wi-Fi networks

Injecting malicious scripts onto L7 routers potentially exposes guests connecting to Wi-Fi hotspots to payment data theft

Security researchers at IBM X-Force IRIS have found evidence of Magecart skimmers targeting commercial layer 7 (L7) routers to steal payment card details of users.

Up until now, Magecart-specific code was only delivered at the website level, with web skimmers hiding the code inside PHP or JavaScript files. But researchers say they have found hackers designing and testing malicious scripts that they can inject onto L7 routers - potentially exposing guests connecting to Wi-Fi hotspots to payment data theft.

Heavy-duty L7 routers are normally used to provide paid or free Wi-Fi services on large networks, such as hotels, airports, malls, casinos, government networks and so on.

Researchers said Magecart groups have already compromised thousands of websites by injecting malicious code to steal payment details entered into their checkout pages.

Magecart Group 5 focuses on targeting third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide

Some of the victims of Magecart attacks include big brands, such as TicketMaster, British Airways, and Newegg.

The X-Force team started their investigation after they discovered a number of scripts on VirusTotal, finding huge similarities to malicious code linked with a group called Magecart Group 5 (MG5).

The researchers also discovered 17 other scripts uploaded since April and observed that most of them were similar to each other, albeit with small modifications in a bid to prevent detection.

One script, dubbed test4.html, was based on another script named advnads20.js, which was linked in 2012 with malicious ad'-injection via Wi-Fi hotspots in hotels.

According to researchers, test4.html aims to gather information from all web forms, and steals confidential data when users are asked to register themselves and make the payment for internet use.

The researchers believe MG5 is currently attacking users shopping on US and Chinese websites.

MG5 is also likely injecting its malicious code into an open-source JavaScript library that is offered as a free tool to help make websites compatible with mobile browsing. Infecting the code of JavaScript library allows attackers to compromise the data of smartphone users that install booby-trapped apps on their device and then shop online.

"Unlike other online skimmer groups that directly compromise their target's shopping cart platforms, Magecart Group 5 focuses on targeting third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide," researchers said.

Researchers recommend retailers avoid third-party code and using strong content security policies to protect themselves from Magecart attacks.

Banks and card issuers have also been advised to educate merchants about Magecart attacks.