Magecart (Group 5): The financially motivated group Magecart, specifically Group 5 (MG5) in this case, is known for carrying out attacks on third-party suppliers in an effort to breach as many targets as possible. Researchers uncovered tests being carried out by the group that aims at injecting malicious code into JavaScript files that will eventually be loaded into L7 routers. L7 routers are used by restaurants, airports, and hotels among other places. These routers can distribute free wi-fi or allow a guest to connect to and then purchase a wi-fi plan, but most are connected to without any thought of compromise by the user. Research showed MG5 will inject their malicious card-skimming code into well-known JavaScript libraries, which are free to use and helps compatibility between websites and mobile browsing. These libraries will be uploaded to the routers. By doing this, the group is able to steal the card information that is being used when purchasing items when using a compromised router. The group is also trying to inject advertisements that would pop up when individuals connect to the router–enticing victims to click on them and eventually connect the user to the internet where they would attempt to steal their information.
Analyst Notes
Although no attacks have been carried out thus far, it seems the group is getting ready to start attacking. Magecart overall has been in the news more recently for continuing to adapt their attack techniques into more undetectable means and Group 5’s new type of attack would prey on many victims who do not understand that open wifi is dangerous.
