Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Mirrorthief cybercrime group targets online campus stores in the US and Canada with card skimming malware

Mirrorthief cybercrime group targets online campus stores in the US and Canada with card skimming malware

  • The group has impacted 201 online campus stores in the United States and Canada.
  • The group is using Trojan.JS.MIRRORTHEIF.AA to steal payment card and personal details of customers.

The Magecart credit card skimming attack has recently been found to be linked with a new cybercrime group called Mirrorthief. The group has impacted 201 online campus stores in the United States and Canada.

What’s the matter?

According to a report from Trend Micro, the Mirrorthief hacking group is using a malicious skimming script – Trojan.JS.MIRRORTHEIF.AA – to steal payment card and personal details of customers. The attack against multiple campus store websites was detected by researchers on April 14, 2019.

The hackers injected the skimming script into the checkout pages of the websites, which consequently sent the stolen information to a remote server.

Which stores are compromised?

After a thorough investigation, the Trend Micro researchers learned that the Mirrorthief group compromised PrismWeb-based e-commerce websites. The PrismWeb, is an e-commerce platform designed for college stores by company PrismRBS, a subsidiary of Nebraska Book Company.

“The attacker injected their skimming script into the shared JavaScript libraries used by online stores on the PrismWeb platform. We confirmed that their scripts were loaded by 201 campus book and merchandise online stores, which serves 176 colleges and universities in the U.S. and 21 in Canada. The amount of payment information that was stolen is still unknown,” researchers wrote in a blog post.

How Mirrorthief performs its skimming activity?

Researchers noted that the Mirrorthief’s skimming JavaScript has been specifically designed to infect PrismWeb’s payment form. The location of injected payment checkout libraries on affected online stores are:

  • hxxps://[online store domain]/innerweb/v4.0/include/js/checkout_payment[.]js
  • hxxps://[online store domain]/innerweb/v3.1/include/js/checkout_payment[.]js

The injected malicious script is forged as a Google Analytics script.

“The injected script forged the Google Analytics script format, but loaded a different script from the attackers’ server. The loaded script is the main script that steals the payment information. Unlike many web skimmers, which are designed to collect information from many kinds of e-commerce payment pages in general, the skimmer that the Mirrorthief group used was designed specifically for PrismWeb’s payment page,” researchers added.

Once the user fills the payment form and clicks on the payment review, the skimmer code copies the targeted information into JavaScript Object Notation (JSON) format data. Later, it encrypts the stolen data using AES and Base64 encryption.

What information is stolen?

The skimmer collects data only from HTML elements with the specific IDs on PrismWeb’s payment form. The stolen credit information includes card number, expiry date, card type, card verification number, and the cardholder’s name. The skimmer also steals personal information like addresses and phone number for billing.

What action has been taken?

PrismRBS has been informed about the attack. The company has since released an official statement regarding the attack. It reported that the company became aware of unauthorized third-party access on e-commerce websites on April 26, 2019.

Upon learning of the incident, it immediately took actions to halt the attack. It has also initiated an investigation into the matter and notified the law enforcement agencies & payment card companies.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket