A malicious hacking group named Magecart Group 5 (MG5) is reportedly taking control over the layer 7 (L7) public Wi-Fi routers typically deployed in hotels, airports, casinos, and resorts. According to security experts from IBM X-Force Incident Response and Intelligence Services (IRIS), Magecart Group is specifically targeting Wi-Fi routers that provide commercial Wi-Fi service in public areas.
The researchers said the attackers are injecting malicious code into the authentic Javascript file in the Layer 7 routers. Once the attackers compromise the routers, they can abuse the router features to launch cyber-attacks on Wi-Fi connected devices.
“Our research revealed that MG5 is likely testing malicious code designed for injection into benign JavaScript files loaded by commercial-grade layer 7 routers. These routers are typically used by airports, casinos, hotels, and resorts, to name a few. X-Force IRIS believes MG5 is currently targeting users shopping on the U.S. and Chinese websites,” the researchers said in a statement.
MG5 was involved in multiple cyber intruders, including attacks on British Airways and a ticketing website Ticketmaster. Recently, the attackers used a skimming script, a malicious code, to steal data from 201 online stores that were catering to 176 colleges and universities in the U.S. and 21 in Canada. The security researchers at Trend Micro stated that they detected the Magecart attack against multiple campus online store websites on April 14, 2019, which were injected with a malicious skimming at their payment checkout pages.
The hacker group is also responsible for the recent data breach that impacted several websites by injecting malicious code. According to a report from threat intelligence firm RiskIQ, the hackers used a “spray-and-pray” approach to compromise and plant malicious code on over 17,000 domains since April 2019.
By compromising a few sites, the malicious code spread to thousands of other sites, including Picreel, Alpaca Forms, AppLixir, RYVIU, OmniKick, eGain, and AdMaxim. RiskIQ stated the attackers have been active in web skimming for a long time and started compromising unsecured S3 buckets in early April.