[BreachExchange] Magecart strikes website of school payments service Wisepay

Fri Oct 9 10:33:51 EDT 2020

https://www.computerweekly.com/news/252490346/Magecart-strikes-website-of-school-payments-service-Wisepay

Wisepay <https://www.wisepay-software.com/>, a supplier of financial
services for schools that enables parents to pay for school meals, clubs
and trips, among other things, has recovered its service after discovering a
Magecart skimmer
<https://www.computerweekly.com/opinion/JavaScript-skimmers-an-evolving-and-dangerous-threat>
on its website was leaching credit card numbers earlier in October

The firm said that data on an undisclosed number of transactions to
approximately 300 schools may have been stolen when users who thought they
were making legitimate payments were redirected, without their knowledge,
to a malicious external page masquerading as Wisepay’s website.

The firm’s managing director Richard Grazier told the BBC
<https://www.bbc.co.uk/news/technology-54465359> the website was
compromised via a “backdoor” in its database, and that only a small subset
of the platform’s users would have noticed. This may be in part because the
initial compromise occurred late on Friday 2 October and was discovered the
following Monday, and far fewer payments would have been processed over the
weekend.

Wisepay has notified both the Information Commissioner’s Office (ICO) and
the police about the incident, which it said had not compromised any of the
data it holds on its systems, and warned parents that any who think they
may have been affected should immediately contact their banks or credit
card providers, and change their online banking credentials.

Magecart works
<https://searchsecurity.techtarget.com/akamai/Video-Decoding-Magecart-Web-Skimming-Attacks>
by injecting malicious JavaScript code into websites and third-party
payment systems to steal credit card information while people enter it at
the checkout,
<https://www.computerweekly.com/news/252484652/Accessories-store-Claires-hit-by-Magecart-credit-card-fraudsters>
thinking they are making a legitimate payment. Recent high-profile
victims include
accessories store Claire’s
<https://www.computerweekly.com/news/252484652/Accessories-store-Claires-hit-by-Magecart-credit-card-fraudsters>
.

It is a relatively simple form of cyber attack, with high reward potential
for malicious actors, and as a result the technique is widely used by a
variety of threat actors, including the infamous Lazarus group
<https://www.computerweekly.com/news/252485702/North-Korea-behind-spate-of-Magecart-attacks>,
which is linked to the North Korean government. Their prevalence has spiked
since March 2020 given far more people are shopping online
<https://www.computerweekly.com/news/252481069/Coronavirus-Magecart-attacks-on-online-retailers-jump-20>
during the Covid-19 pandemic.

Often, Magecart attacks begin in a targeted spearphishing attack on a
member of staff at the victim organisation, but cyber criminals have also
been known to exploit unsecured Amazon Web Services (AWS) S3 buckets
<https://www.computerweekly.com/news/252474188/Macys-Magecart-breach-presages-Christmas-fraud-spike>
and unpatched versions of Adobe’s Magento software, which is about to enter
end-of-life
<https://www.computerweekly.com/news/252489115/Retailers-urged-to-get-to-grips-with-Magento-as-attacks-spike>
.

ProPrivacy <https://proprivacy.com/>’s Attila Tomaschek said: “The Wisepay
cyber attack highlights very clearly the dangers of online card skimming
attacks. Wisepay would be an attractive target for cyber criminals looking
to launch such an attack due to the large number of UK schools served by
the online payment portal.

“The main problem, however, is that these types of attacks can be
incredibly difficult to detect and, therefore, avoid. Those entering their
credit card information into a compromised payment page would really have
no idea that they were handing their card details over to cyber criminals
because these malicious payment pages are designed to appear perfectly
legitimate.

“While the responsibility to maintain secure payment pages obviously
resides with the merchant, consumers can protect themselves by keeping a
close, continuous eye on their credit reports and bank account statements
and refraining from clicking on dodgy links or entering sensitive
information onto any online form that seems off or compromised in any way,”
said Tomaschek.

“Educational institutions need to keep their eyes on the networks for signs
of intruders or user accounts escalating privileges, as well as making sure
the fundamentals are still happening despite all the distractions of the
start of term, like making sure old and unused user profiles are shut down
and can’t be used by attackers,” added Jérôme Robert, director at active
directory specialist Alsid <https://www.alsid.com/>.

“Given the turmoil in the education sector right now thanks to Covid, this
is yet another headache for schools. There has been a spate of highly
publicised ransomware attacks against universities
<https://www.computerweekly.com/news/252489125/NCSC-steps-up-ransomware-support-for-schools-and-universities>
recently, likely timed to coincide with the start of term – which attackers
hope will increase their chances of success,” he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201009/4090e00a/attachment.html>