University Investigates Skimming of Credit Card Data
Hackers Targeted Michigan State University's Online Store for MonthsMichigan State University is investigating how hackers were able to steal credit card data from the school's online shopping site over a nine-month period.
See Also: How to Take the Complexity Out of Cybersecurity
The skimming, which took place between October 2019 and June, appears to have affected about 2,600 customers of the university's online store, shop.msu.edu, according to the school's Monday announcement.
Exposed data included customers' names, addresses and credit card numbers, according to the university, which says it’s working with law enforcement and attempting to determine the exact number victims.
This skimming incident appears to be a Magecart-style attack, says Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who has been tracking these types of attacks for the past several years.
Magecart refers to a set of tactics cybercriminal groups use to steal payment card data from the online checkout function of e-commerce sites. These attacks typically involve planting malicious JavaScript on websites to capture card data when customers are making purchases (see: Claire's: Magecart E-Commerce Hackers Stole Card Data).
"The attack we observed was indeed on par with Magecart. However, MSU was not the only victim, and about 60 or so other sites were also compromised by the same criminals," Klijnsma tells Information Security Media Group. The hackers apparently created their malicious infrastructure in February 2019 and attempted to target as many victims as possible, he adds.
Skimming Attack
The hackers who targeted MSU took advantage of a vulnerability in its online store website that has now been fixed, the university says. Although hacking stopped about June 26, the school just began notifying affected customers Monday.
"The security of our IT systems and those who use them are of paramount importance to MSU. We are deeply sorry and understand the concern of those affected. We are working around the clock to make it right," Michigan State Interim CISO Daniel Ayala notes in the disclosure statement.
Klijnsma believes that the hackers likely planted malicious JavaScript code on the university's store checkout page using a malicious domain that closely resembled the googleapis.com website, which provides APIs and other services to developers. The skimmed credit card data likely was then sent to another site that also closely resembled a legitimate Google service, he says.
"All of it was meant to blend in with normal traffic - a quick glance would make someone think it was simply a script and activity around Google resources," Klijnsma says. "Not every site would have the same scripts included. The attackers played around with filenames to make more or less unique looking [domains], while constantly using the googapi[dot]com domain to blend in with normal traffic."
MSU is warning customers who shopped at its online store between October 2019 and June to be on the lookout for phishing and other scams that might be associated with the theft of their personal data. Some university staff members are undergoing training to help ensure this type of attack doesn't happen again, the school says.
Magecart Attacks
Magecart-style attacks have grown more sophisticated as hackers have attempted to more effectively hide malicious JavaScript on ecommerce sites. In June, security firm Malwarebytes reported that some fraudsters have hidden malicious code within the EXIF metadata of images and then covertly added these images onto e-commerce websites (see: Magecart Card Skimmer Hidden in Image's EXIF Metadata).
Trend Micro also recently reported that payment card data from the Click2Gov online payment platforms was stolen from eight U.S. cities via point-of-sale skimming malware (see: Payment Card Skimmer Attacks Hit 8 Cities).
Managing Editor Scott Ferguson contributed to this report.