By Angel Cuenca 0

According to a survey by Consortium for School Networking, only 15% of technology leaders said they had implemented a cybersecurity plan for their school district. Spending little time and money on cybersecurity initiatives has motivated hackers to exploit weaknesseses in systems, as shown in magecart attacks. Magecart, a form of a digital skimming attack that steals credit card or payment data from web visitors, has exponentially grown since its inception. What started in 2016 as a consortium of hacker groups has now transitioned into targeting all kinds of institutions, most recently the education system. In January 2020, Blue Bear software fell victim to Magecart. Blue Bear is a SaaS solution that facilitates administration and management of school accounting, student fees, and online stores on behalf of schools. In this article, we’ll look at the root cause of the breach, relevant security trends, and potential solutions to these problems.

The Magecart Attack

Blue Bear software was using Magento (hence the name Magecart) as its third-party payment provider via the school’s website that allowed customers to input their credit card information once they were getting ready to purchase their goods. The first step of a Magecart attack is gaining access to an online store’s backend. Hackers have typically done this by exploiting known vulnerabilities in the Magento payment gateway. Although it’s unclear which method the hackers used in this specific scenario, gaining access to the store’s backend could’ve been done either through SQL Injections to set new passwords and admin roles or through cross-site scripting. With the cross-site scripting method, an attacker directly enters malicious Javascript code onto a form on the front-facing website (e.g. a contact form, first and last name fields, etc.) Once executed, the code can either take control of users’ session cookies (which allows access to user’s session) or redirect the users to a fake web-site.

The school ended up sending out a breach notification letter to the impacted families, offering them free identity monitoring services. It mentioned that the attack had gathered information for over a month. The school also suggested putting credit freezes to reduce the impact of the attack on the affected individuals.

Since the school was using a cloud-based software for its payment provider (Magento), they could have implemented a solution known as CloudGuard SaaS, which provides real-time threat prevention capabilities. This solution can automatically search for any suspicious code changes done by SQL injections, using the award-winning collaborative network known as ThreatCloud. For more information on this technology, feel free to reach out to me for a consultation.

Angel Cuenca • 3 Articles

Dallas native currently pursuing his Master's in Cybersecurity at SMU. Huge basketball fan. **Angel's views and blog posts are his own**

View Articles

Comments