Magecart is a prolific stealer of bank card details. It is neither a malware type nor an attacker group — it is more like a skimming attack style. Around a dozen different bad actors have already been discovered using Magecart — and now there is a new one reported Friday: Mirrorthief.
Mirrorthief was discovered by Trend Micro, who detected attacks starting on April 14 against multiple campus store websites in the U.S. and Canada. The target websites are injected with a malicious skimming script that Trend has named JS.Mirrorthief.AA. The script scrapes payment card and personal details that are entered on the website’s payment page in a manner similar to the earlier Magecart attack against TicketMaster in June 2018.
In the TicketMaster attack, the attackers first compromised the software supplier Inbenta, injected the malware into a supplied script, and got downloaded onto the TicketMaster server. While the latest attack has similarities to this and other Magecart attacks, it is identical to none — and has been given the new name of Mirrorthief.
In this latest attack, the hackers first compromised the eCommerce platform PrismWeb which serves college stores owned by PrismRBS. The skimming script was injected into the JavaScript libraries used by the college stores, and consequently to the individual stores. Trend Micro has determined that 201 campus book and merchandise stores serving 176 colleges and universities in the U.S. and 21 in Canada loaded the malicious script.
Trend reported its findings to PrismRBS, who emailed a statement to SecurityWeek. “Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, notified law enforcement and payment card companies. Our investigation is ongoing…” Neither PrismRBS nor Trend Micro are yet aware of how much payment information was stolen.
The statement continues, “Based on our review to date, we have determined that an unauthorized party was able to install malicious software designed to capture payment card information on some of our customers’ e-commerce websites.”
In this latest attack, the hackers’ script was injected into the PrismWeb JavaScript payment checkout libraries. The script forged the Google Analytics script with a different script loaded from the attackers’ server. This is the primary script that steals the payment information. It is designed for and specifically targeted at PrismWeb.
The data it steals includes card number, expiry date, card type, card verification number (CVN), and the cardholder’s name, together with personal information such as addresses and phone numbers for billing. When the user finishes the websites payment form and clicks payment review, the skimmer steals the data, stores it in JSON format, and encrypts it with AES encryption and Base64 encoding. This is then exfiltrated as an HTML image element that connects to the attackers’ URL appended with the encrypted payment information as a query string. The server receives the data and returns a 1-pixel PNG image.
Disguising themselves as Google Analytics (the malicious domain is also similar to the original Google Analytics domain) is not unique. Other aspects are unique. “When we checked Mirrorthief’s network infrastructure, we found that it did not have any overlap with any known cybercrime groups. In addition, the skimmer Mirrorthief used in the attack is very different from the others since its specially designed to skim PrismWebís payment form. It sends the skimmed data through a unique JSON schema, which may hint that they use a unique backend data receiver instead of popular skimming kits.”
It seems that the world has yet another Magecart group to contend with.
Related: British Airways, Another Victim of Ongoing Magecart Attacks
Related: New Magecart Group Targets French Ad Agency
Related: Magecart Hackers Change Tactics Following Public Exposure
Related: Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks