Magecart skimming attack targets online campus stores

Security researchers from Trend Micro have uncovered a Magecart skimming attack that targeted 201 online campus stores in the United States and Canada.

Magecart is an online credit card stealing or “skimming” attack responsible for numerous malware attacks in 2018, like the breach of Feedify, Ticketmaster and British Airways. Magecart attacks date back to 2015 and involve hackers implanting malicious code into websites and third-party systems in order to steal payment card data via checkout page.

Trend Micro first spotted the Magecart activity targeting multiple online campus stores websites on April 14. Hackers that Trend Micro dubbed “Mirrorthief” injected a malicious skimming script “Trojan.JS.MIRRORTHEIF.AA” at the payment checkout pages. The malicious script scrapes or skims credit card and other personal information details entered by the users of the payment page and sends back to a remote server under the hacker’s control.

As part of the analysis, the researchers also noticed the hackers compromised a third party e-commerce platform, PrismWeb, used by many college stores. PrismWeb is developed by PrismRBS, a subsidiary of Nebraska Book Company.

The attackers injected their skimming script into the shared JavaScript libraries used by online stores via the PrismWeb platform. The impacted campus stores serves 176 universities and colleges in the U.S. and another 21 in Canada.

PrismRBS responded to skimming attack and issued a statement as noted by Trend Micro:

“On April 26, 2019, PrismRBS became aware that an unauthorized third-party obtained access to some of our customers’ e-commerce websites that PrismRBS hosts. Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, notified law enforcement and payment card companies. Our investigation is ongoing to determine the scope of the issue, including who and what information may have been impacted. Based on our review to date, we have determined that an unauthorized party was able to install malicious software designed to capture payment card information on some of our customers’ e-commerce websites.

We are proactively notifying potentially impacted customers to let them know about the incident, the steps we are taking to address the situation, and steps they can take to protect their end users. We deeply regret any concern or frustration this incident may cause. Protecting the security and privacy of information remains a top priority. We are taking steps to further strengthen the security of our systems, including enhanced client-side and back-end monitoring tools and a comprehensive end-to-end audit of our systems. Once our investigation concludes, we will be providing our customers with additional information and guidance.”

Symantec also wrote about similar attacks they called “formjacking” in September of 2018. The company warned at the time of major attacks on online retailers to commit payment card fraud.

To help protect against similar attacks, network/site administrators can implement intrusion protection (IPS) systems and signatures to detect and block these threats. Website owners should keep systems up to date regularly with patches, enforce system segregation, and implement strong authentication for users that have access or manage sensitive data or privileges.

IT/security teams should also proactively monitor their websites/applications for indicators of compromise or suspicious activity that could lead to data theft or unauthorized access.