A cybercrime group has been spotted using infamous digital skimming code techniques to infect 201 online campus stores in the US and Canada in a supply chain attack.
The gang targeted PrismWeb, an e-commerce platform owned by PrismRBS which is used by the sites, according to Trend Micro.
Dubbed “Mirrorthief” by the security vendor, it injected a malicious script into the payment checkout libraries used by PrismWeb.
They made it appear similar to a legitimate Google Analytics script, and registered their malicious domain to also mimic the Google one in order to evade detection.
“Unlike many web skimmers, which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb’s payment page,” Trend Micro explained in a blog post.
“The skimmer collects data only from HTML elements with the specific IDs on PrismWeb’s payment form. The stolen credit card information includes card number, expiry date, card type, card verification number (CVN), and the cardholder’s name. The skimmer also steals personal information like addresses and phone numbers for billing.”
The skimmer then copies the info into the JavaScript Object Notation (JSON) format, before encrypting it and sending it to a remote server.
Although Magecart Group 11 and another gang, ReactGet, also use Google Analytics impersonation techniques, there’s no overlap in terms of the infrastructure used by Mirrorthief, and its skimmer is very different to others in that it is customized to work on PrismWeb. It also used a different JavaScript library (Crypto-JS) to the others, according to Trend Micro.
“To defend against this type of threat, website owners should regularly check and strengthen their security with patches and server segregation. Site owners should also employ robust authentication mechanisms, especially for those that store and manage sensitive data,” Trend Micro advised.
“IT and security teams should restrict or disable outdated components, and habitually monitor websites and applications for any indicators of suspicious activity that could lead to data exfiltration, execution of unknown scripts, or unauthorized access and modification.”