Supply Chain Attacks Are Going Strong
This time the attack is against an eCommerce platform, PrismWeb, that is used by College bookstores.
The attack is similar to other attacks, in the the hackers somehow got into the company’s system and inserted a tiny bit of Javascript that steals credit card data – very similar to Magecart that is affecting sites from TicketMaster to British Airways. PrismWeb is integrated into the various college bookstore websites and when a student goes to checkout, the malware is downloaded from PrismWeb as part of the Javascript needed to operate the checkout process.
These attackers are clever in that the attacks take the data, format it as JSON, encrypt it and upload it in a way to make it look like Google Analytics data.
The data being stolen is credit card number, expiration date, CVV, billing name an address and phone.
Over 200 college bookstores have been affected, translating to tens of thousands of students – or more.
What is important to understand here is the concept, not the fact that 200+ colleges have been impacted.
If you use a service and that service has access to your data (remember card data is only one class of data these guys might want – trade secrets and medical data are two others, for example), you are potentially at risk if you don’t protect yourself.
One thing that all of these attacks have in common is that the data is being uploaded from your site to the attackers. If your site should not be uploading data unsolicitedly (as in not in direct response to a user’s query), you need to be aware id this is happening and alert.
Of course, attackers can change their MO, but so far, of the thousands of sites affected, this is a common theme.
Ultimately, the problem is with the vendor. Somehow they were compromised. And the compromise was not detected.
In this case the customers – the 200+ college bookstores – are left to clean up the mess from the vendor.
MAYBE they will be compensated. Maybe they will have to sue their vendor (that is no fun and will not get them any money for years, even if they win). That is all a function of how well their Vendor Cyber Risk Management process works.
Ultimately, it is your problem to deal with and right now, most companies are not paying enough attention to it and the hackers are having a field day. That is, until they are hacked. At which point they throw millions at it. Not a great strategy – for YOU or for YOUR CUSTOMERS.
Source: Bleeping Computer.