Magecart Hits Parents and Students via Blue Bear Attack

blue bear magecart attack

The latest attack takes aim at a vertical-specific e-commerce platform.

Blue Bear Software, an administration and e-commerce platform for K-12 schools and other educational institutions, is warning its customers that it has suffered a Magecart attack.

Blue Bear’s platform enables management of school accounting, student fees and online stores. In a letter to those affected (obtained by Bleeping Computer), the vendor’s parent company, Active Networks, said that anyone who had purchased items from a school webstore that was powered by its platform are potentially affected.

Magecart is an umbrella term encompassing several different threat groups who typically use the same modus operandi: They compromise websites by exploiting vulnerabilities in third-party e-commerce platforms, in order to inject card-skimming scripts on checkout pages.

At Virus Bulletin last October, researchers at RiskIQ said that Magecart is now so ubiquitous that its infrastructure is flooding the internet. There are at least 570+ known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains, researchers said.

“This time, the attack targeted an educational accounting software platform that parents use to pay for student fees, books and school supplies,” Elad Shapira, head of research at Panorays, said in an emailed statement. “Online retailers like Blue Bear are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards.”

In this case, the card-skimmers were present on websites using Blue Bear from Oct. 1 to Nov. 13 and collected names, payment-card numbers, expiration dates and CVV codes, and Blue Bear user IDs and passwords. No Social Security numbers, driver license numbers or similar government ID card numbers were caught up in the breach.

Magecart’s focus on attacking victims via the supply chain is part of a larger trend of attackers wanting to ‘own’ an entire system, including partners and suppliers.

Carbon Black’s Global Incident Response Threat Report last year found that 50 percent of today’s attacks leverage “island hopping.” This means that attackers are after not only one target network but also those that are connected via a supply chain.

“To prevent such attacks from occurring, companies must create and put processes in place to manage and review their susceptibility to the Magecart threat in their cyber supply chain,” said Shapira. “Doing so is important throughout the whole third-party business relationship, and should include continuous monitoring of third parties’ cyber-posture.”

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.


Suggested articles