• The group has impacted 201 online campus stores in the United States and Canada.
• The group is using Trojan.JS.MIRRORTHEIF.AA to steal payment card and personal details of customers.

The Magecart credit card skimming attack has recently been found to be linked with a new cybercrime group called Mirrorthief. The group has impacted 201 online campus stores in the United States and Canada.

What’s the matter?

According to a report from Trend Micro, the Mirrorthief hacking group is using a malicious skimming script – Trojan.JS.MIRRORTHEIF.AA – to steal payment card and personal details of customers. The attack against multiple campus store websites was detected by researchers on April 14, 2019.

The hackers injected the skimming script into the checkout pages of the websites, which consequently sent the stolen information to a remote server.

Which stores are compromised?

After a thorough investigation, the Trend Micro researchers learned that the Mirrorthief group compromised PrismWeb-based e-commerce websites. The PrismWeb, is an e-commerce platform designed for college stores by company PrismRBS, a subsidiary of Nebraska Book Company.

“The attacker injected their skimming script into the shared JavaScript libraries used by online stores on the PrismWeb platform. We confirmed that their scripts were loaded by 201 campus book and merchandise online stores, which serves 176 colleges and universities in the U.S. and 21 in Canada. The amount of payment information that was stolen is still unknown,” researchers wrote in a blog post.

How Mirrorthief performs its skimming activity?

Researchers noted that the Mirrorthief’s skimming JavaScript has been specifically designed to infect PrismWeb’s payment form. The location of injected payment checkout libraries on affected online stores are:

• hxxps://[online store domain]/innerweb/v4.0/include/js/checkout_payment[.]js
• hxxps://[online store domain]/innerweb/v3.1/include/js/checkout_payment[.]js

The injected malicious script is forged as a Google Analytics script.

“The injected script forged the Google Analytics script format, but loaded a different script from the attackers’ server. The loaded script is the main script that steals the payment information. Unlike many web skimmers, which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb’s payment page,” researchers added.

Once the user fills the payment form and clicks on the payment review, the skimmer code copies the targeted information into JavaScript Object Notation (JSON) format data. Later, it encrypts the stolen data using AES and Base64 encryption.

What information is stolen?

The skimmer collects data only from HTML elements with the specific IDs on PrismWeb’s payment form. The stolen credit information includes card number, expiry date, card type, card verification number, and the cardholder’s name. The skimmer also steals personal information like addresses and phone number for billing.

What action has been taken?

PrismRBS has been informed about the attack. The company has since released an official statement regarding the attack. It reported that the company became aware of unauthorized third-party access on e-commerce websites on April 26, 2019.

Upon learning of the incident, it immediately took actions to halt the attack. It has also initiated an investigation into the matter and notified the law enforcement agencies & payment card companies.