Magecart Supply Chain Attacks Hit Hundreds of Restaurants

Written by

Security researchers have uncovered two separate Magecart campaigns which targeted online ordering platforms to exfiltrate card details from at least 311 US restaurants.

Recorded Future found e-skimming software injected into three platforms: MenuDrive, Harbortouch, and InTouchPOS. It has already identified 50,000 payment cards taken in these attacks and put up for sale on the dark web, but warned that many more may have been exposed.

The first campaign, targeting MenuDrive and Harbortouch, began around January 18. By hitting these providers, the attackers could access a large number of partner restaurants who use their services.

Some 80 restaurants hosted on MenuDrive domains and 74 hosted on Harbourtouch were infected.

“The malicious e-skimmer loader scripts are still present on a portion of the websites,” the researchers noted.

“However, authorizen[.]net, the malicious domain used to host the e-skimmers themselves and receive stolen data, has been blocked since May 26 2022.”

The second campaign began no later than November 12 2021 and impacted 157 restaurants using InTouchPOS. Recorded Future warned that a “portion” of those restaurants remain infected and the malicious domains remain active.

The InTouchPOS campaign was likely perpetrated by the same actors that have compromised over 400 e-commerce websites since May 2020, with over 30 of the websites still infected as of June, the vendor claimed.

“Cyber-criminals often seek the highest payout for the least amount of work. This has led them to target restaurants’ online ordering platforms,” said Recorded Future.

“When even a single platform is attacked, dozens or even hundreds of restaurants can have their transactions compromised, which allows cyber-criminals to steal vast amounts of customer payment card data disproportionate to the number of systems they actually hack. The COVID-19 pandemic has only exacerbated this due to an influx of online ordering as restaurants’ dine-in options were restricted.”

What’s hot on Infosecurity Magazine?