Security researchers from IBM’s X-Force Incident Response and Intelligence Services team have found what appear to be test skimming scripts developed earlier this year by one of the most prolific of the dozen or so groups tracked by the security industry as Magecart. These groups have compromised thousands of websites to date and have injected malicious code designed to steal payment details into their checkout pages.
Some of the Magecart victims have included high-profile brands such as British Airways, TicketMaster and Newegg. The groups are known for using a variety of techniques to both infect websites and to hide their malicious code injected into pages, including the compromise of legitimate third-party services that already have Magecart scripts loaded into websites.
The X-Force investigation started with a couple of scripts found on VirusTotal, an online file and URL scanning service and aggregator of malware intelligence from vendors and user submissions. The scripts showed strong similarities to malicious code associated in the past with a group tracked as Magecart Group 5 (MG5).
Based on those initial files, the researchers tracked down a total of 17 scripts uploaded since April by the same user from Russia. Many of the scripts are similar but have modifications designed to bypass antivirus detection, suggesting their creator was using VirtusTotal to test the effectiveness of his changes.
Advertisement injection through Wi-Fi
One of the skimmer scripts, called test4.html, references and is based on a script called advnads20.js that was associated in 2012 with rogue advertisement injection through Wi-Fi hotspots in hotels. The script contains code to interact with a commercial grade Layer 7 router.
“Having access to a large number of captive users with very high turnover, like in the case of airports or hotels, is a lucrative concept for attackers looking to compromise payment data,” the X-Force team said in its report. “We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet.”
The malicious script is designed to collect information from all web forms, not just checkout pages. That’s because the compromise of Wi-Fi routers allows attackers to steal data when users are initially prompted to register and pay for using the internet, but also later, by automatically injecting skimming scripts into all websites accessed by users through those devices. Unlike Magecart attacks that are tailored for one website or brand, this is a catch-all type of compromise.
Supply chain attack a possible intent
Swiper is a popular open-source library that can make websites designed for desktop-based access compatible with browsing from mobile devices. It can also be integrated into native and web-based mobile apps. Based on statistics, it’s used by over 280,000 websites, most of them from the US and China.
The targeting of third-party scripts that are loaded into legitimate websites is consistent with MG5’s modus operandi observed so far. For example, TicketMaster, one of MG5’s high-profile victims, was compromised through SociaPlus, a web analytics service. The group also compromised SAS Net Reviews, a verified reviews service used by e-commerce sites.
“This scenario involving the technology supply chain, infecting Swiper in this case, is consistent with MG5’s historical methods of targeting third-party platforms that would give the group a broad reach into numerous victims with a single compromise,” the X-Force researchers said.