MirrorThief Card Skimmer
Hundreds of online campus stores fell victim to a Magecart skimming attack that collected the credit card info of their customers. While there are several active hacker groups that carry out Magecart attacks, it appears that this latest breach had some distinct characteristics that set it apart, leading the experts to the conclusion that a new threat actor had emerged. In the report, they dubbed this new group Mirrorthief.
Over 200 Stores Were Compromised
The card-skimming script used by Mirrorthief impacted 201 online campus stores that serve 176 colleges and universities in the U.S. and 21 in Canada. The collected data included credit card info such as card number, card type, CVN (card verification number), expiry date, and the name of the cardholder. In addition, personally identifiable information from the payment checkout page was also logged in including addresses and phone numbers. All of the customers' data is copied into a JSON (JavaScript Object Notation) data format, which is then encrypted with an AES encryption algorithm and Base64 encoding before being sent to a remote server controlled by the attackers.
What Sets Mirrorthief Apart?
When comparing the attack by Mirrorthief to those carried out by other Magecart-wielding cybercriminal groups such as Magecart Group 11 and ReactGet, researchers observed some significant differences. Mirrorthief's card-skimming script was crafted with a specific target in mind - the payment checkout libraries of the PrismWeb platform, an e-commerce platform for online college stores designed by the company PrismRBS. All three hacker groups also employ different encryption methods for the exfiltrated data.
To disguise the activity of their malicious script, Mirrorthief designed it to mimic a legitimate Google Analytics script. The remote domain also is made to appear as similar to a Google Analytics domain as possible. This impersonation techniques also have been observed as part of Magecart Group 11's activity while ReactGet has adopted it recently.
PrismRBS Initiate Investigation, Bolster Security
After PrismRBS were made aware of the breach, they informed their clients about the steps they are taking to mitigate the consequences of the incident. In an official statement, the company announced that they had contacted the credit card companies, notified law enforcement, and hired a third-party IT forensic firm to assist in the investigation of the attack. PrismRBS stated that they would strengthen their systems by "including enhanced client-side and back-end monitoring tools" as well as doing "a comprehensive end-to-end audit."
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.