Hackers stole card data from 201 campus online stores in US and Canada, is it the Magecart group?

Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British Airways, Newegg, Ticketmaster, and Feedify. ​​

News of the day is that Magecart group injected its malicious JavaScript code in the PrismWeb​ e-commerce platform after it has breached the PrismRBS.

Experts at Trend Micro uncovered a Magecart attack that hit at least 201 online stores which serve 176 colleges and universities in the U.S. and 21 in Canada.

The hackers injected a malicious JavaScript code on the checkout and payment pages of online stores to steal payment card data.

“The attacker injected their skimming script into the shared JavaScript libraries used by online stores on the PrismWeb platform.” reads the analysis published by Trend Micro. “We confirmed that their scripts were loaded by 201 campus book and merchandise online stores, which serves 176 colleges and universities in the U.S. and 21 in Canada. The amount of payment information that was stolen is still unknown.”

Trend Micro experts discovered the attacks on April 14, the attackers used a script that mimics the Google Analytics script format,

Trend Micro reported its discovery to the vendor that removed the card skimmer code from the platform on April 26.

“On April 26, 2019, PrismRBS became aware that an unauthorized third-party obtained access to some of our customers’ e-commerce websites that PrismRBS hosts. Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, notified law enforcement and payment card companies.” reads a statement published by PrismRBS. “Based on our review to date, we have determined that an unauthorized party was able to install malicious software designed to capture payment card information on some of our customers’ e-commerce websites.”

According to Trend Micro, the infrastructure used in this attack doesn’t overlap with the one used in previous attacks by the Magecart cybercrime groups.

“Since we can’t connect the said attack to any previous Magecart groups — even if the attack shared some similar characteristics with a few of them — we labeled this new group “Mirrorthief”. ” continues Trend Micro.

Further technical details on this campaign, including Indicators of Compromise (IoCs) are reported in the analysis published by Trend Micro.

A few days ago, Magecart group made the headlines again after that the Magecart Group 12 was spotted conducting a large-scale operation that targets OpenCart online stores.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Magecart group, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]