A mysterious group of cyber criminals managed to hijack an untold number of credit card numbers after sneaking their way into the websites of more than 200 campus stores, according to TrendMicro, a leading security software firm.
The card-skimming group captured the raw payment details after uploading previously unknown malicious code onto a single web server accessed by each of the college book and merchandise stores, according to the firm. The script used by the criminals scraped all of the personal and financial information inputted by customers, writes TrendMicro fraud researcher Joseph Chen.
Once captured, he said, the stolen data was whisked away to a remote server.
It’s unknown how many customers are affected. The names of the affected institutions have not been released. The attack, according to Chen, hit 176 colleges and universities in the U.S. and 21 in Canada.
The criminal element behind the attack, nicknamed “Mirrorthief,” doesn’t appear to share any infrastructure with previously known card-skimming groups, and its attack was unique; however, the group did attempt to disguise its script as a legitimate Google Analytics script, something other so-called “Magecart” hackers have done in the past.
PrismRBS, the platform maker, said it became aware of the compromise on April 26, put an end to the attack shortly after, and then launched an investigation with the help of an outside forensic IT firm. “We are proactively notifying potentially impacted customers to let them know about the incident, the steps we are taking to address the situation, and steps they can take to protect their end users,” the company said in a statement published by TrendMicro.
“We deeply regret any concern or frustration this incident may cause,” PrismRBS said, adding that additional guidance would be forthcoming as its investigation unfolds.
“Groups that employ this digital attack have been known to come up with new ways to stay undetected on the sites they compromise,” TrendMicro’s Chen wrote. To stay ahead of such attacks, he said, site administrators should employ robust authentication measures, deploy security patches on time, and segregate networks handling sensitive data to minimise the impact of such intrusions.
This post will be updated when new information becomes available.