The checkout pages of hundreds of U.S. and Canadian online campus stores powered by the PrismWeb e-commerce platform were injected by a hacking group with a JavaScript-based payment card skimming script.

Scripts injected within online stores powered by the likes of Magento, OpenCart, and OSCommerce to monitor payment transactions and steal the data entered by customers are used as part of MageCart attacks, a term which now applies to threat groups which use them as part of their operations.

In late February, researchers at security firms RiskIQ—the ones who coined the term— and Trend Micro showed how Magecart Group 12 was able to infiltrate hundreds of online stores by compromising an advertising script as part of a supply chain attack.

Magecart groups represent a continuously evolving threat and they led attacks against high profile international organizations like Ticketmaster, British Airways, OXO, and Newegg, as well as various small retailers like MyPillow and Amerisleep.

Prismweb skimming attack chain

The PrismWeb skimming script

According to Trend Micro's fraud researcher Joseph Chen, the malicious Magecart script got injected on April 14 within the payment checkout libraries used by PrismWeb-powered online stores.

The skimmer was later found on "201 campus book and merchandise online stores, which serves 176 colleges and universities in the U.S. and 21 in Canada. The amount of payment information that was stolen is still unknown."

Further analysis showed that the data skimmer scripts used in these attacks stole the customers' payment information and personal details, sending all of it afterward to a server controlled by the attackers.

As Chen also unearthed, the script was specifically created for the PrismWeb e-commerce platform as it will only collect data from "HTML elements with the specific IDs" found within PrismWeb checkout pages.

Stolen data in the attack

"The stolen credit card information includes card number, expiry date, card type, card verification number (CVN), and the cardholder’s name. The skimmer also steals personal information like addresses and phone numbers for billing," said the researcher.

Once collected, the stolen info gets stored as JavaScript Object Notation (JSON) data and, after being AES-encrypted and encoded, it gets sent to the Magecart group as part of an HTML image element.

Next, the HTML image element "connects to their URL appended with the encrypted payment information as a query string. The server then receives the skimmed data from the URL’s query string and returns a 1 pixel PNG picture," according to Chen.

Because they weren't able to make any connections with other Magecart groups, Trend Micro considers it a new group and dubbed it Mirrorthief. However, they noticed that the skimmer used in the PrismWeb attack was designed to mimic the format of Google Analytics scripts to better blend in and go unobserved for as much time as possible.

The skimmer script found on a store checkout page

"Impersonating the Google Analytics service is a known tactic also used by Magecart Group 11, the group behind the Vision Direct breach. Another group called ReactGet, which infected many e-commerce websites around the world, was also recently seen adopting a similar impersonation tactic," said Chen.

Despite some resemblance, these three Magecart groups have something that definitely sets them apart: the usage of different encryption libraries, with Mirrorthief using Crypto-JS (AES algorithm), ReactGet employing JSEncrypt as part of their attacks (RSA algorithm), and Magecart Group 11 using the Gibberish-AES library (AES algorithm).

PrismRBS, the company behind the PrismWeb e-commerce platform, also issued an official statement after receiving Trend Micro's disclosure report:

On April 26, 2019, PrismRBS became aware that an unauthorized third-party obtained access to some of our customers’ e-commerce websites that PrismRBS hosts. Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, notified law enforcement and payment card companies. Our investigation is ongoing to determine the scope of the issue, including who and what information may have been impacted. Based on our review to date, we have determined that an unauthorized party was able to install malicious software designed to capture payment card information on some of our customers’ e-commerce websites. We are proactively notifying potentially impacted customers to let them know about the incident, the steps we are taking to address the situation, and steps they can take to protect their end users. We deeply regret any concern or frustration this incident may cause. Protecting the security and privacy of information remains a top priority. We are taking steps to further strengthen the security of our systems, including enhanced client-side and back-end monitoring tools and a comprehensive end-to-end audit of our systems. Once our investigation concludes, we will be providing our customers with additional information and guidance.

Magecart groups are diversifying their targets

The attack against PrismWeb is further proof that Magecart groups are increasingly starting to focus on more and more e-commerce platforms, to steal as much sensitive personal and financial data as possible and then selling it to the highest bidder.

"They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information. This widens the scope of potential Magecart victims far beyond e-commerce alone," said RiskIQ researcher Yonathan Klijnsma in a report published yesterday and detailing a large-scale operation led by a Magecart hacking group against OpenCart online stores.

Additionally, BleepingComputer reported that another group created and injected a polymorphic Magecart skimmer script with support for 57 payment gateways from all over the world, allowing for easy integration within almost any checkout page, on any website, scraping payment card info without the need of extra customization.

Update May 03 15:19 EDT: Added more details on how the attackers exfiltrate the stolen data.