[BreachExchange] Wisepay 'outage' is actually the school meal payments biz trying to stop an intruder from stealing customer card details

Destry Winant destry at riskbasedsecurity.com
Wed Oct 14 10:45:56 EDT 2020


https://www.theregister.com/2020/10/07/wisepay_outage_was_cyber_attack/

UK cashless school payments firm Wisepay has pulled its website
offline after spotting a miscreant trying to spoof its card payment
page.

The Hampshire-based company, which bills itself as "allowing parents
and guardians to make cashless payments to their [children's] school
or college", said its website was "down for maintenance".

Reg reader Jon told us: "Their website has been down since Sunday,
replaced with a 'down for maintenance' notice since Monday morning,
meaning that pupil accounts cannot be topped up for lunches, or items
that the school sells cannot be purchased."

Another reader added that parents were concerned about the downtime,
saying it was a "bit worrying considering this is the way most parents
pay for school meals/trips etc."

In reality the "outage" was a preemptive move to stop the unidentified
attacker from continuing with a "URL manipulation" attempt, as a
Wisepay spokesman explained it. He went on to say that the miscreant
was "spoofing the Sagepay page to capture card details", saying that
Wisepay itself merely provides a "gateway for parents" and doesn't
hold card information itself.

The company said it has informed the UK Information Commissioner's
Office and is working with a "cyber forensic agency" to investigate
further. It promised the website would be back online "between 4 and
5pm" today.

Wisepay customer Monk's Walk School, a secondary in Hertfordshire,
told parents in a Facebook post earlier today: "As a precautionary
measure we suggest that if you tried to use Wisepay between the 2nd
and 5th of October, you should take sensible precautions such as
checking your online banking for suspicious activity."

The school added, somewhat acidly: "On a practical level we are
investigating alternative payment methods so that you can continue to
make payments for your son or daughter."

The cashless payments service is used by schools and colleges across
the UK, and was acquired in 2017 by Community Brands UK Holdings Ltd,
which has other educational tech brands in its stable, including
"classroom behaviour management system" BehaviourWatch,
Teachers2Parents communications software, and educational software
Edusoft.

While cyber attacks targeting schools are not unheard of (the National
Cyber Security Centre warned institutions to sort out their security
earlier this year), it seems that the age-old tactic of targeting
supply chains has spread to the educational sector too. ®


More information about the BreachExchange mailing list