[BreachExchange] Magecart Hits Parents and Students via Blue Bear Attack

Destry Winant destry at riskbasedsecurity.com
Wed Jan 8 10:10:35 EST 2020


https://threatpost.com/magecart-blue-bear-attack/151585/

The latest attack takes aim at a vertical-specific e-commerce platform.

Blue Bear Software, an administration and e-commerce platform for K-12
schools and other educational institutions, is warning its customers
that it has suffered a Magecart attack.

Blue Bear’s platform enables management of school accounting, student
fees and online stores. In a letter to those affected (obtained by
Bleeping Computer), the vendor’s parent company, Active Networks, said
that anyone who had purchased items from a school webstore that was
powered by its platform are potentially affected.

Magecart is an umbrella term encompassing several different threat
groups who typically use the same modus operandi: They compromise
websites by exploiting vulnerabilities in third-party e-commerce
platforms, in order to inject card-skimming scripts on checkout pages.

At Virus Bulletin last October, researchers at RiskIQ said that
Magecart is now so ubiquitous that its infrastructure is flooding the
internet. There are at least 570+ known command-and-control (C2)
domains for the group, with close to 10,000 hosts actively loading
those domains, researchers said.

“This time, the attack targeted an educational accounting software
platform that parents use to pay for student fees, books and school
supplies,” Elad Shapira, head of research at Panorays, said in an
emailed statement. “Online retailers like Blue Bear are prime targets
for Magecart, because data is easily stolen during checkout, often
through third parties, as customers enter their credit cards.”

In this case, the card-skimmers were present on websites using Blue
Bear from Oct. 1 to Nov. 13 and collected names, payment-card numbers,
expiration dates and CVV codes, and Blue Bear user IDs and passwords.
No Social Security numbers, driver license numbers or similar
government ID card numbers were caught up in the breach.

Magecart’s focus on attacking victims via the supply chain is part of
a larger trend of attackers wanting to ‘own’ an entire system,
including partners and suppliers.

Carbon Black’s Global Incident Response Threat Report last year found
that 50 percent of today’s attacks leverage “island hopping.” This
means that attackers are after not only one target network but also
those that are connected via a supply chain.

“To prevent such attacks from occurring, companies must create and put
processes in place to manage and review their susceptibility to the
Magecart threat in their cyber supply chain,” said Shapira. “Doing so
is important throughout the whole third-party business relationship,
and should include continuous monitoring of third parties’
cyber-posture.”


More information about the BreachExchange mailing list