Payment scammers hit 201 campus checkouts with Magecart-inspired tactics

Mirrorthief is a new group that specifically targeted an orgnization that provides code to colleges and universities.

A gang of payment-card scammers has targeted 201 college and university campus stores, trying to steal students’ financial data in a Magecart-style attack, according to new research.

The new cybercrime group, labeled Mirrorthief, injected malicious code on payment checkout pages at hundreds of U.S. and Canadian stores, according to TrendMicro research published Friday. By compromising PrismWeb, an e-commerce platform designed for college stores, the attackers could collect payment card details, names, addresses and phone numbers, researchers said. PrismWeb is made by PrismRBS, a subsidiary of the Nebraska Book Company.

TrendMicro’s report comes as security researchers continue to grapple with an expansion of payment-card thievery along with an apparent surge in demand for stolen financial information. Success by one group inspires imitators in another. The most prominent, Magecart, is a collection of perhaps 12 hacking campaigns that steal payment information by secretly collecting data from online checkout pages.

TrendMicro researchers noted that Mirrorthief is not another Magecart group, though the attack techniques share similar strategies.


Mirrorthief is successful in part because it registers its malicious web domains in a way that disguises their true intent, and it also impersonates the Google Analytics service to skim information, as Magecart did in its breach of optical equipment manufacturer Vision Direct. But this attack specifically targeted PrismRBS technology, unlike other payment thieves who design their code to steal information from as many pages as possible.

“When we checked Mirrorthief’s network infrastructure, we found that it did not have any overlap with any known cybercrime groups,” the researchers said.

The number of people affected was not immediately clear. TrendMicro detected its first attack against “multiple stores” on April 14. PrismRBS said it learned of the breach on April 26, and that it too immediate steps to halt the attack.

Magecart methods have ranged from breaching sites via third-party providers, such as customer service tools, to harvesting data with JavaScript-sniffers, which allow thieves to steal financial data with just a few lines of code. Thousands of companies have been hit by Magecart, including British Airways, BevMo and OXO, the housewares giant.

Latest Podcasts