web analytics

Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada

We uncovered a recent activity involving the notorious online credit card skimming attack known as Magecart. The attack, facilitated by a new cybercrime group, impacted 201 online campus stores in the United States and Canada.

We started detecting the attacks against multiple campus store websites on April 14, during which the sites were injected with a malicious skimming script (detected by Trend Micro as Trojan.JS.MIRRORTHEIF.AA) at their payment checkout pages. The skimming script can scrape credit card information, as well as personal details entered on the payment page. The stolen information is consequently sent to a remote server. After looking into this attack, we learned that the attackers compromised PrismWeb, which is an e-commerce platform designed for college stores by company PrismRBS, a subsidiary of Nebraska Book Company.

The attacker injected their skimming script into the shared JavaScript libraries used by online stores on the PrismWeb platform. We confirmed that their scripts were loaded by 201 campus book and merchandise online stores, which serves 176 colleges and universities in the U.S. and 21 in Canada. The amount of payment information that was stolen is still unknown.

We disclosed our findings to PrismRBS. The company has since released an official statement regarding the skimming attack: “On April 26, 2019, PrismRBS became aware that an unauthorized third-party obtained access to some of our customers’ e-commerce websites that PrismRBS hosts. Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, notified law enforcement and payment card companies. Our investigation is ongoing to determine the scope of the issue, including who and what information may have been impacted. Based on our review to date, we have determined that an unauthorized party was able to install malicious software designed to capture payment card information on some of our customers’ e-commerce websites.

We are proactively notifying potentially impacted customers to let them know about the incident, the steps we are taking to address the situation, and steps they can take to protect their end users. We deeply regret any concern or frustration this incident may cause. Protecting the security and privacy of information remains a top priority. We are taking steps to further strengthen the security of our systems, including enhanced client-side and back-end monitoring tools and a comprehensive end-to-end audit of our systems. Once our investigation concludes, we will be providing our customers with additional information and guidance.”

Since we can’t connect the said attack to any previous Magecart groups — even if the attack shared some similar characteristics with a few of them — we labeled this new group “Mirrorthief”.

Figure 1. Mirrorthief attack chain

Figure 1. Mirrorthief attack chain

Figure 2. Payment page of PrismWeb online store loads Mirrorthief’s skimming script

Figure 2. Payment page of PrismWeb online store loads Mirrorthief’s skimming script

Figure 3. Mirrorthief injection on PrismWeb checkout payment’s library

Figure 3. Mirrorthief injection on PrismWeb checkout payment’s library

How Mirrorthief performs their skimming activities

On April 14, the attackers injected a script to the payment checkout libraries used by the PrismWeb platform. The location of injected payment checkout libraries on affected online stores were:

  • hxxps://[online store domain]/innerweb/v4.0/include/js/checkout_payment[.]js
  • hxxps://[online store domain]/innerweb/v3.1/include/js/checkout_payment[.]js

The injected script forged the Google Analytics script format, but loaded a different script from the attackers’ server. The loaded script is the main script that steals the payment information. Unlike many web skimmers, which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb’s payment page. The skimmer collects data only from HTML elements with the specific IDs on PrismWeb’s payment form. The stolen credit card information includes card number, expiry date, card type, card verification number (CVN), and the cardholder’s name. The skimmer also steals personal information like addresses and phone numbers for billing.

Once the user has finished filling in the payment form and clicked on the payment review, the skimmer copies the targeted information into JavaScript Object Notation (JSON) format data and encrypts it with AES encryption and Base64 encoding. Next, the skimmer will send it to a remote server by creating an HTML image element, which connects to their URL appended with the encrypted payment information as a query string. The server then receives the skimmed data from the URL’s query string and returns a 1 pixel PNG picture.

HTML Element IDMirrorthief JSON Data SchemaInformation
_cc_numberaaCredit card number
_cc_expmonthbbCredit card expiration month
_cc_expyearccCredit card expiration year
cc_typeddCredit card type
_cc_cvneeCredit card CVN number
cc_first_nameffFirst name of cardholder
cc_last_nameggLast name of cardholder
bill_to_phonehhPhone number for billing
bill_to_countryiiBilling address (country)
bill_to_statejjBilling address (state)
bill_to_street1kkBilling address (street)
bill_to_street2llBilling address (street)
bill_to_citymmBilling address (city)
bill_to_zipnnBilling address (zip code)

Table 1. Sensitive data targeted by Mirrorthief’s skimmer

Figure 4. Mirrorthief skimming script copies payment information and encrypts it with AES encryption (deobfuscated)

Figure 4. Mirrorthief skimming script copies payment information and encrypts it with AES encryption (deobfuscated)

Comparing Magecart-wielding groups

The Mirrorthief group made the injected script on the compromised libraries similar to legitimate Google Analytics script and registered their malicious domain (which also appears similar to the original Google Analytics domain) to disguise their activity. Impersonating the Google Analytics service is a known tactic also used by Magecart Group 11, the group behind the Vision Direct breach. Another group called ReactGet, which infected many e-commerce websites around the world, was also recently seen adopting a similar impersonation tactic.

When we checked Mirrorthief’s network infrastructure, we found that it did not have any overlap with any known cybercrime groups. In addition, the skimmer Mirrorthief used in the attack is very different from the others since it’s specially designed to skim PrismWeb’s payment form. It sends the skimmed data through a unique JSON schema, which may hint that they use a unique backend data receiver instead of popular skimming kits. Moreover, the three groups encrypted the skimmed data before the transfer, but used different JavaScript libraries. Below is a table for comparison.

GroupEncryption AlgorithmJavaScript Library
Magecart Group 11AESGibberish-AES
ReactGetRSAJSEncrypt
MirrorthiefAESCrypto-JS

Table 2. Comparison of encryption algorithms used by the different groups

Figure 5. Magecart Group 11 injection pattern

Figure 5. Magecart Group 11 injection pattern

Figure 6. ReactGet Group injection pattern

Figure 6. ReactGet Group injection pattern

Figure 7. Mirrorthief Group injection pattern

Figure 7. Mirrorthief Group injection pattern

Magecart has evolved its tactics and exposed many sites to skimming attacks over the years. Groups that employ this digital attack have been known to come up with new ways to stay undetected on the sites they compromise. To defend against this type of threat, website owners should regularly check and strengthen their security with patches and server segregation. Site owners should also employ robust authentication mechanisms, especially for those that store and manage sensitive data. IT and security teams should restrict or disable outdated components, and habitually monitor websites and applications for any indicators of suspicious activity that could lead to data exfiltration, execution of unknown scripts, or unauthorized access and modification.

The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the scripts and preventing access to the malicious domains:

Indicators of Compromise (IoCs)

IndicatorAttribution
30c8be0d9deb59d98f7e047579763559f2c2dd9a7b4477636afcbebaaebc7dc5Mirrorthief skimming script hash (detected as Trojan.JS.MIRRORTHEIF.AA)
cloudmetric-analytics[.]comMirrorthief malicious domain
hxxps://cloudmetric-analytics[.]com/ga[.]jsMirrorthief malicious URL
hxxps://cloudmetric-analytics[.]com/analytics[.]jsMirrorthief malicious URL
hxxps://cloudmetric-analytics[.]com/analytic[.]php?ccm_post=Mirrorthief malicious URL
hxxps://g-analytics[.]com/libs/analytics[.]jsMagecart Group 11 malicious URL
hxxps://ebitbr[.]com/api[.]jsReactGet Group malicious URL


With special thanks to our colleagues at abuse.ch and The Shadowserver Foundation for helping with the sinkholing of Mirrothief’s malicious domain and remediation reporting

The post Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada appeared first on .