A total of 201 online college stores in the U.S. and Canada have fallen victim to a Magecart-style card-skimming attack that appears to be the work of a new cybercrime group with no clear ties to past Magecart activity.
“Unlike many web skimmers which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb’s payment page,” reports the post, written by Trend Micro fraud researcher Joseph Chen. “The skimmer collects data only from HTML elements with the specific IDs on PrismWeb’s payment form.”
Stolen information included addresses, phone numbers and of course card information including card numbers, expiration data, card type, verification numbers and cardholder names.
In order to pass as legitimate, the Mirrorthief skimmer code impersonates the format of the Google Analytics script, and the attackers even registered their malicious domain to make it look like a Google Analytics domain. Trend Micro notes that at least two other groups known to use skimmers, Magecart Group 11 and ReactGet, have taken similar tactics. However, “We could not connect this new attack to any of the previous Magecart actor groups and hence labeled them a new cybercrime group,” explained Jon Clay, director of global threat communications at Trend Micro, in an email to SC Media. “The main differences were the infrastructure used in their attack and the skimmer used was different.”
PrismRBS, a partnership between Nebraska Book Company’s technology division and Ratex Business Solutions, was informed of the attack on April 26, and has taken steps to remediate the issue since.
“Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, [and] notified law enforcement and payment card companies,” reads a statement provided by Nebraska Book Company. “Our investigation is ongoing to determine the scope of the issue, including who and what information may have been impacted.” The company also says it’s notifying potentially impacted customers of the incident, while strengthening its systems’ security with “enhanced client-side and back-end monitoring tools and a comprehensive end-to-end audit of our systems.”