A total of 201 online college stores in the U.S. and Canada have fallen victim to a Magecart-style card-skimming attack that appears to be the work of a new cybercrime group with no clear ties to past Magecart activity.
Dubbed Mirrorthief, the group injected the sites' checkout pages with a customized skimmer script that grabs and exfiltrates payment card information and personal details, according to a Trend Micro blog post published on Friday. More specifically, the script was sneaked into the shared JavaScript payment checkout libraries used by stores running on PrismWeb, an e-commerce platform designed for campus book and merchandise stores.
"Unlike many web skimmers which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb's payment page," reports the post, written by Trend Micro fraud researcher Joseph Chen. "The skimmer collects data only from HTML elements with the specific IDs on PrismWeb's payment form."
Stolen information included addresses, phone numbers and of course card information including card numbers, expiration data, card type, verification numbers and cardholder names.
In order to pass as legitimate, the Mirrorthief skimmer code impersonates the format of the Google Analytics script, and the attackers even registered their malicious domain to make it look like a Google Analytics domain. Trend Micro notes that at least two other groups known to use skimmers, Magecart Group 11 and ReactGet, have taken similar tactics. However, "We could not connect this new attack to any of the previous Magecart actor groups and hence labeled them a new cybercrime group," explained Jon Clay, director of global threat communications at Trend Micro, in an email to SC Media. "The main differences were the infrastructure used in their attack and the skimmer used was different."
The skimmer works by copying payment data in JSON (JavaScript Object Notation) format, then encrypting it with an AES algorithm and Base64 coding. "Next, the skimmer will send it to a remote server by creating an HTML image element, which connects to their URL appended with the encrypted payment information as a query string. The server then receives the skimmed data from the URL’s query string and returns a 1 pixel PNG picture," Trend Micro reports. The attackers' use of a unique JSON schema suggests that "they use a unique back-end data receiver instead of popular skimming kits," the blog post concludes.
PrismRBS, a partnership between Nebraska Book Company’s technology division and Ratex Business Solutions, was informed of the attack on April 26, and has taken steps to remediate the issue since.
"Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, [and] notified law enforcement and payment card companies," reads a statement provided by Nebraska Book Company. "Our investigation is ongoing to determine the scope of the issue, including who and what information may have been impacted." The company also says it's notifying potentially impacted customers of the incident, while strengthening its systems' security with "enhanced client-side and back-end monitoring tools and a comprehensive end-to-end audit of our systems."
