A group of hackers has planted malicious JavaScript code that steals payment card details inside the e-commerce system used by colleges and universities in Canada and the US.
The malicious code was found on 201 online stores that were catering to 176 colleges and universities in the US and 21 in Canada, cyber-security Trend Micro said in a report[2] released on Friday.
The attack is what security researchers call a Magecart attack[3] --which consists of hackers placing malicious JavaScript code on the checkout and payment pages of online stores to record payment card data, which they later upload to their servers, and re-sell on underground cybercrime forums.
Hackers breached PrismRBS
This particular Magecart attack was detected on April 14, according to Trend Micro, and impacted PrismRBS[4], the company behind PrismWeb[5], an e-commerce platform (a-la Shopify) sold to colleges and universities in North America.
Trend Micro said hackers breached PrismRBS and modified the PrismWeb platform to include a malicious JavaScript file that got loaded on all active PrismWeb deployments.
The script, modeled to look like a file part of the Google Analytics service, was active until April 26, when Trend Micro notified the vendor, which took action to remove the card skimmer code.
In a statement released to Trend Micro, PrismRBS formally acknowledged the hack and said it was notifying impacted colleges, as well as engaging with an external IT forensic firm to look deeper into the incident.
Magecart attacks expanding
There have been quite a few hacker groups that have started carrying out Magecart (JS card skimming, JS card sniffing) attacks over the past few months, and the number is now in the tens.