[BreachExchange] Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites

[Destry Winant]

https://www.securityweek.com/magecart-skimming-attack-hits-hundreds-campus-e-commerce-sites

Magecart is a prolific stealer of bank card details. It is neither a
malware type nor an attacker group -- it is more like a skimming
attack style. Around a dozen different bad actors have already been
discovered using Magecart -- and now there is a new one reported
Friday: Mirrorthief.

Mirrorthief was discovered by Trend Micro, who detected attacks
starting on April 14 against multiple campus store websites in the
U.S. and Canada. The target websites are injected with a malicious
skimming script that Trend has named JS.Mirrorthief.AA. The script
scrapes payment card and personal details that are entered on the
website's payment page in a manner similar to the earlier Magecart
attack against TicketMaster in June 2018.

In the TicketMaster attack, the attackers first compromised the
software supplier Inbenta, injected the malware into a supplied
script, and got downloaded onto the TicketMaster server. While the
latest attack has similarities to this and other Magecart attacks, it
is identical to none -- and has been given the new name of
Mirrorthief.

In this latest attack, the hackers first compromised the eCommerce
platform PrismWeb which serves college stores owned by PrismRBS. The
skimming script was injected into the JavaScript libraries used by the
college stores, and consequently to the individual stores. Trend Micro
has determined that 201 campus book and merchandise stores serving 176
colleges and universities in the U.S. and 21 in Canada loaded the
malicious script.

Trend reported its findings to PrismRBS, who emailed a statement to
SecurityWeek. "Upon learning of this incident, we immediately took
action to halt the current attack, initiated an investigation, engaged
an external IT forensic firm to assist in our review, notified law
enforcement and payment card companies. Our investigation is
ongoing..." Neither PrismRBS nor Trend Micro are yet aware of how much
payment information was stolen.

The statement continues, "Based on our review to date, we have
determined that an unauthorized party was able to install malicious
software designed to capture payment card information on some of our
customers' e-commerce websites."

In this latest attack, the hackers' script was injected into the
PrismWeb JavaScript payment checkout libraries. The script forged the
Google Analytics script with a different script loaded from the
attackers' server. This is the primary script that steals the payment
information. It is designed for and specifically targeted at PrismWeb.

The data it steals includes card number, expiry date, card type, card
verification number (CVN), and the cardholder's name, together with
personal information such as addresses and phone numbers for billing.
When the user finishes the websites payment form and clicks payment
review, the skimmer steals the data, stores it in JSON format, and
encrypts it with AES encryption and Base64 encoding. This is then
exfiltrated as an HTML image element that connects to the attackers'
URL appended with the encrypted payment information as a query string.
The server receives the data and returns a 1-pixel PNG image.

Disguising themselves as Google Analytics (the malicious domain is
also similar to the original Google Analytics domain) is not unique.
Other aspects are unique. "When we checked Mirrorthief's network
infrastructure, we found that it did not have any overlap with any
known cybercrime groups. In addition, the skimmer Mirrorthief used in
the attack is very different from the others since its specially
designed to skim PrismWebís payment form. It sends the skimmed data
through a unique JSON schema, which may hint that they use a unique
backend data receiver instead of popular skimming kits."