University Investigates Skimming of Credit Card Data

Hackers Targeted Michigan State University's Online Store for Months
University Investigates Skimming of Credit Card Data

Michigan State University is investigating how hackers were able to steal credit card data from the school's online shopping site over a nine-month period.

The skimming, which took place between October 2019 and June, appears to have affected about 2,600 customers of the university's online store, shop.msu.edu, according to the school's Monday announcement.

Exposed data included customers' names, addresses and credit card numbers, according to the university, which says it’s working with law enforcement and attempting to determine the exact number victims.

This skimming incident appears to be a Magecart-style attack, says Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who has been tracking these types of attacks for the past several years.

Magecart refers to a set of tactics cybercriminal groups use to steal payment card data from the online checkout function of e-commerce sites. These attacks typically involve planting malicious JavaScript on websites to capture card data when customers are making purchases (see: Claire's: Magecart E-Commerce Hackers Stole Card Data).

"The attack we observed was indeed on par with Magecart. However, MSU was not the only victim, and about 60 or so other sites were also compromised by the same criminals," Klijnsma tells Information Security Media Group. The hackers apparently created their malicious infrastructure in February 2019 and attempted to target as many victims as possible, he adds.

Skimming Attack

The hackers who targeted MSU took advantage of a vulnerability in its online store website that has now been fixed, the university says. Although hacking stopped about June 26, the school just began notifying affected customers Monday.

"The security of our IT systems and those who use them are of paramount importance to MSU. We are deeply sorry and understand the concern of those affected. We are working around the clock to make it right," Michigan State Interim CISO Daniel Ayala notes in the disclosure statement.

Klijnsma believes that the hackers likely planted malicious JavaScript code on the university's store checkout page using a malicious domain that closely resembled the googleapis.com website, which provides APIs and other services to developers. The skimmed credit card data likely was then sent to another site that also closely resembled a legitimate Google service, he says.

"All of it was meant to blend in with normal traffic - a quick glance would make someone think it was simply a script and activity around Google resources," Klijnsma says. "Not every site would have the same scripts included. The attackers played around with filenames to make more or less unique looking [domains], while constantly using the googapi[dot]com domain to blend in with normal traffic."

MSU is warning customers who shopped at its online store between October 2019 and June to be on the lookout for phishing and other scams that might be associated with the theft of their personal data. Some university staff members are undergoing training to help ensure this type of attack doesn't happen again, the school says.

Magecart Attacks

Magecart-style attacks have grown more sophisticated as hackers have attempted to more effectively hide malicious JavaScript on ecommerce sites. In June, security firm Malwarebytes reported that some fraudsters have hidden malicious code within the EXIF metadata of images and then covertly added these images onto e-commerce websites (see: Magecart Card Skimmer Hidden in Image's EXIF Metadata).

Trend Micro also recently reported that payment card data from the Click2Gov online payment platforms was stolen from eight U.S. cities via point-of-sale skimming malware (see: Payment Card Skimmer Attacks Hit 8 Cities).

Managing Editor Scott Ferguson contributed to this report.


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.