{ "id": "c10b1032-0b51-41a3-a505-35c13cb54096", "created_at": "2026-04-06T00:10:36.775053Z", "updated_at": "2026-04-10T03:24:11.866716Z", "deleted_at": null, "sha1_hash": "e7b7c9cb511edac1e8d98207440454ef90677bd9", "title": "Mirrorthief Hits Campus Online Stores Using Magecart", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80411, "plain_text": "Mirrorthief Hits Campus Online Stores Using Magecart\r\nBy By: Joseph C Chen May 03, 2019 Read time: 5 min (1273 words)\r\nPublished: 2019-05-03 · Archived: 2026-04-05 16:03:48 UTC\r\nWe uncovered a recent activity involving the notorious online credit card skimming attack known as Magecart.\r\nThe attack, facilitated by a new cybercrime group, impacted 201 online campus stores in the United States and\r\nCanada.\r\nWe started detecting the attacks against multiple campus store websites on April 14, during which the sites were\r\ninjected with a malicious skimming script (detected by Trend Micro as Trojan.JS.MIRRORTHEIF.AA) at their\r\npayment checkout pages. The skimming script can scrape credit card information, as well as personal details\r\nentered on the payment page. The stolen information is consequently sent to a remote server. After looking into\r\nthis attack, we learned that the attackers compromised PrismWeb, which is an e-commerce platform designed for\r\ncollege stores by company PrismRBS, a subsidiary of Nebraska Book Company.\r\nThe attacker injected their skimming script into the shared JavaScript libraries used by online stores on the\r\nPrismWeb platform. We confirmed that their scripts were loaded by 201 campus book and merchandise online\r\nstores, which serves 176 colleges and universities in the U.S. and 21 in Canada. The amount of payment\r\ninformation that was stolen is still unknown.\r\nWe disclosed our findings to PrismRBS. The company has since released an official statement regarding the\r\nskimming attack: \"On April 26, 2019, PrismRBS became aware that an unauthorized third-party obtained access\r\nto some of our customers’ e-commerce websites that PrismRBS hosts. Upon learning of this incident, we\r\nimmediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm\r\nto assist in our review, notified law enforcement and payment card companies. Our investigation is ongoing to\r\ndetermine the scope of the issue, including who and what information may have been impacted. Based on our\r\nreview to date, we have determined that an unauthorized party was able to install malicious software designed to\r\ncapture payment card information on some of our customers’ e-commerce websites.\r\nWe are proactively notifying potentially impacted customers to let them know about the incident, the steps we are\r\ntaking to address the situation, and steps they can take to protect their end users. We deeply regret any concern or\r\nfrustration this incident may cause. Protecting the security and privacy of information remains a top priority. We\r\nare taking steps to further strengthen the security of our systems, including enhanced client-side and back-end\r\nmonitoring tools and a comprehensive end-to-end audit of our systems. Once our investigation concludes, we will\r\nbe providing our customers with additional information and guidance.\"\r\nSince we can’t connect the said attack to any previous Magecart groups — even if the attack shared some similar\r\ncharacteristics with a few of them — we labeled this new group “Mirrorthief”.\r\nFigure 1. Mirrorthief attack chain\r\nFigure 1. Mirrorthief attack chain\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/\r\nPage 1 of 5\n\nFigure 2. Payment page of PrismWeb online store loads Mirrorthief’s skimming script\r\nFigure 3. Mirrorthief injection on PrismWeb checkout payment’s library\r\nHow Mirrorthief performs their skimming activities\r\nOn April 14, the attackers injected a script to the payment checkout libraries used by the PrismWeb platform. The\r\nlocation of injected payment checkout libraries on affected online stores were:\r\nhxxps://[online store domain]/innerweb/v4.0/include/js/checkout_payment[.]js\r\nhxxps://[online store domain]/innerweb/v3.1/include/js/checkout_payment[.]js\r\nThe injected script forged the Google Analytics script format, but loaded a different script from the attackers’\r\nserver. The loaded script is the main script that steals the payment information. Unlike many web skimmers,\r\nwhich are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer\r\nthat the Mirrorthief group used was designed specifically for PrismWeb’s payment page. The skimmer collects\r\ndata only from HTML elements with the specific IDs on PrismWeb’s payment form. The stolen credit card\r\ninformation includes card number, expiry date, card type, card verification number (CVN), and the cardholder’s\r\nname. The skimmer also steals personal information like addresses and phone numbers for billing.\r\nOnce the user has finished filling in the payment form and clicked on the payment review, the skimmer copies the\r\ntargeted information into JavaScript Object Notation (JSON) format data and encrypts it with AES encryption and\r\nBase64 encoding. Next, the skimmer will send it to a remote server by creating an HTML image element, which\r\nconnects to their URL appended with the encrypted payment information as a query string. The server then\r\nreceives the skimmed data from the URL’s query string and returns a 1 pixel PNG picture.\r\nHTML Element ID Mirrorthief JSON Data Schema Information\r\n_cc_number aa Credit card number\r\n_cc_expmonth bb Credit card expiration month\r\n_cc_expyear cc Credit card expiration year\r\ncc_type dd Credit card type\r\n_cc_cvn ee Credit card CVN number\r\ncc_first_name ff First name of cardholder\r\ncc_last_name gg Last name of cardholder\r\nbill_to_phone hh Phone number for billing\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/\r\nPage 2 of 5\n\nbill_to_country ii Billing address (country)\r\nbill_to_state jj Billing address (state)\r\nbill_to_street1 kk Billing address (street)\r\nbill_to_street2 ll Billing address (street)\r\nbill_to_city mm Billing address (city)\r\nbill_to_zip nn Billing address (zip code)\r\nTable 1. Sensitive data targeted by Mirrorthief’s skimmer\r\nFigure 4. Mirrorthief skimming script copies payment information and encrypts it with AES encryption\r\n(deobfuscated)\r\nFigure 4. Mirrorthief skimming script copies payment information and encrypts it with AES encryption\r\n(deobfuscated)\r\nComparing Magecart-wielding groups\r\nThe Mirrorthief group made the injected script on the compromised libraries similar to legitimate Google\r\nAnalytics script and registered their malicious domain (which also appears similar to the original Google\r\nAnalytics domain) to disguise their activity. Impersonating the Google Analytics service is a known tactic also\r\nused by Magecart Group 11, the group behind the Vision Direct breach. Another group called ReactGet, which\r\ninfected many e-commerce websites around the world, was also recently seen adopting a similar impersonation\r\ntactic.\r\nWhen we checked Mirrorthief’s network infrastructure, we found that it did not have any overlap with any known\r\ncybercrime groups. In addition, the skimmer Mirrorthief used in the attack is very different from the others since\r\nit’s specially designed to skim PrismWeb’s payment form. It sends the skimmed data through a unique JSON\r\nschema, which may hint that they use a unique backend data receiver instead of popular skimming kits. Moreover,\r\nthe three groups encrypted the skimmed data before the transfer, but used different JavaScript libraries. Below is a\r\ntable for comparison.\r\nGroup Encryption Algorithm JavaScript Library\r\nMagecart Group 11 AES Gibberish-AES\r\nReactGet RSA JSEncrypt\r\nMirrorthief AES Crypto-JS\r\nTable 2. Comparison of encryption algorithms used by the different groups\r\nFigure 5. Magecart Group 11 injection pattern\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/\r\nPage 3 of 5\n\nFigure 5. Magecart Group 11 injection pattern\r\nFigure 6. ReactGet Group injection pattern\r\nFigure 6. ReactGet Group injection pattern\r\nFigure 7. Mirrorthief Group injection pattern\r\nFigure 7. Mirrorthief Group injection pattern\r\nMagecart has evolved its tactics and exposed many sites to skimming attacks over the years. Groups that employ\r\nthis digital attack have been known to come up with new ways to stay undetected on the sites they compromise.\r\nTo defend against this type of threat, website owners should regularly check and strengthen their security with\r\npatches and server segregation. Site owners should also employ robust authentication mechanisms, especially for\r\nthose that store and manage sensitive data. IT and security teams should restrict or disable outdated components,\r\nand habitually monitor websites and applications for any indicators of suspicious activity that could lead to data\r\nexfiltration, execution of unknown scripts, or unauthorized access and modification.\r\nThe following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the\r\nscripts and preventing access to the malicious domains:\r\nTrend Micro™ Security\r\nSmart Protection Suites and Worry-Free™ Business Security\r\nTrend Micro Network Defense\r\nHybrid Cloud Security\r\nIndicators of Compromise (IoCs)\r\nIndicator Attribution\r\n30c8be0d9deb59d98f7e047579763559f2c2dd9a7b4477636afcbebaaebc7dc5\r\nMirrorthief skimming script\r\nhash (detected as\r\nTrojan.JS.MIRRORTHEIF.AA)\r\ncloudmetric-analytics[.]com Mirrorthief malicious domain\r\nhxxps://cloudmetric-analytics[.]com/ga[.]js Mirrorthief malicious URL\r\nhxxps://cloudmetric-analytics[.]com/analytics[.]js Mirrorthief malicious URL\r\nhxxps://cloudmetric-analytics[.]com/analytic[.]php?ccm_post= Mirrorthief malicious URL\r\nhxxps://g-analytics[.]com/libs/analytics[.]js\r\nMagecart Group 11 malicious\r\nURL\r\nhxxps://ebitbr[.]com/api[.]js\r\nReactGet Group malicious\r\nURL\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/\r\nPage 4 of 5\n\nWith special thanks to our colleagues at abuse.ch and The Shadowserver Foundation for helping with the\r\nsinkholing of Mirrothief’s malicious domain and remediation reporting\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-cam\r\npus-online-stores-in-us-and-canada/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/" ], "report_names": [ "mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7b7c9cb511edac1e8d98207440454ef90677bd9.pdf", "text": "https://archive.orkl.eu/e7b7c9cb511edac1e8d98207440454ef90677bd9.txt", "img": "https://archive.orkl.eu/e7b7c9cb511edac1e8d98207440454ef90677bd9.jpg" } }