Threat researchers at IBM X-Force IRIS have spotted activity by a known group of criminal Web malware operators that appears to be targeting commercial layer 7 routers—the type typically associated with Wi-Fi networks that use “captive portals” to either charge for Internet access or require customers to sign in.
Now you’re playing with captive portals
These routers can also control the content delivered to users—with content filtering, the loading of interstitial pages before loading the intended site, and other potentially dangerous bits of manipulation (such as “traffic shaping“). If this type of router were to be compromised, malicious code could be used to steal users’ payment data during e-commerce sessions through redirection of traffic to lookalike servers, and malicious advertisements could be injected into webpages to attack connected devices.
The researchers also found evidence that the group was making modifications to an open source mobile application library used to create touch “sliders” to allow users to swipe through galleries. “[Magecart 5] has likely infected this code, corrupting it at its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of user data of those using the finished product.” That matches with Magecart 5’s modus operandi of compromising third-party resources to get a broader effect, the researchers noted.