University Investigates Skimming of Credit Card DataHackers Targeted Michigan State University's Online Store for Months
Michigan State University is investigating how hackers were able to steal credit card data from the school's online shopping site over a nine-month period.
The skimming, which took place between October 2019 and June, appears to have affected about 2,600 customers of the university's online store, shop.msu.edu, according to the school's Monday announcement.
Exposed data included customers' names, addresses and credit card numbers, according to the university, which says it’s working with law enforcement and attempting to determine the exact number victims.
This skimming incident appears to be a Magecart-style attack, says Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who has been tracking these types of attacks for the past several years.
"The attack we observed was indeed on par with Magecart. However, MSU was not the only victim, and about 60 or so other sites were also compromised by the same criminals," Klijnsma tells Information Security Media Group. The hackers apparently created their malicious infrastructure in February 2019 and attempted to target as many victims as possible, he adds.
The hackers who targeted MSU took advantage of a vulnerability in its online store website that has now been fixed, the university says. Although hacking stopped about June 26, the school just began notifying affected customers Monday.
"The security of our IT systems and those who use them are of paramount importance to MSU. We are deeply sorry and understand the concern of those affected. We are working around the clock to make it right," Michigan State Interim CISO Daniel Ayala notes in the disclosure statement.
"All of it was meant to blend in with normal traffic - a quick glance would make someone think it was simply a script and activity around Google resources," Klijnsma says. "Not every site would have the same scripts included. The attackers played around with filenames to make more or less unique looking [domains], while constantly using the googapi[dot]com domain to blend in with normal traffic."
MSU is warning customers who shopped at its online store between October 2019 and June to be on the lookout for phishing and other scams that might be associated with the theft of their personal data. Some university staff members are undergoing training to help ensure this type of attack doesn't happen again, the school says.
Trend Micro also recently reported that payment card data from the Click2Gov online payment platforms was stolen from eight U.S. cities via point-of-sale skimming malware (see: Payment Card Skimmer Attacks Hit 8 Cities).
Managing Editor Scott Ferguson contributed to this report.