Learning from the WisePay Attack

WisePay

WisePay is a payment services provider to UK schools and academies offering a SaaS (Software as a Service) model. Its school payments software services mean that parents and guardians can make secure, cashless payments to their school or college for bursaries, trips, meals, school clubs and more.  The company, started by Sarah Phillips, joined forces with leading US-based education-tech company ‘Community Brands’ back in January 2018.

WisePay also offers a digital ‘parental engagement’ and forms manager service where it deals with emailing, texting, forms, and data collection on behalf of its school and academy customers.

Website Hack and Spoof Page

WisePay estimates that an attack on their website occurred at some time between Friday 2nd and Monday 5th October. Cyber-criminals were able to hack the WisePay website and re-direct the payment gateway page to a different URL of a spoof payment page that they controlled.  This kind of attack is known as ‘URL manipulation/ URL rewriting’.  In this way, parents who went to the right website to pay their UK school fees were still able to be duped into paying their money to the cyber-criminals.

The hack was quickly discovered (on Monday morning) and parents of the schools affected were informed just days after the attack.

After the Attack

The attack is thought to have affected around 300 schools and because it happened over just a weekend, it is likely that not many people (relatively) will have been affected.  Parents and guardians were informed that following the attack, WisePay had taken its website offline to deal with the incident and that it was taking steps to implement additional security measures to stop a recurrence of that kind of attack. Also, WisePay notified the UK’s Information Commissioner (as they were required to under GDPR) and notified UK law enforcement.

Forensic Investigation

Parents/guardians at the affected schools were also informed that their payment card data may have been unlawfully disclosed, asked to contact the school, and informed that WisePay had engaged a computer forensics expert and that there was a forensic investigation which is ongoing.  WisePay, via the school, recommended that those likely to be affected should be cautious regarding personal financial arrangements and should take prompt steps to pause or cancel the payment card was used to pay via WisePay during the period at the beginning of the month.

Echoes of Form-Jacking Attacks of 2019

The WisePay attack is reminiscent of the high-profile form-jacking attacks from the beginning of last year, such as those on BA and Ticketmaster who were targeted by the ‘Magecart’ hacking group. In the Ticketmaster attack, the hackers first compromised a chatbot that was used for customer support on Ticketmaster websites and this chatbot provided the 'way in' for the Magecart attackers, enabling them to alter the JavaScript code on Ticketmaster’s websites so that payment card data from customers could be siphoned off.

It is not yet known, however, what was the root cause of the WisePay attack.

How Do You Know If Your Personal Data Has Been Compromised?

As identified by WisePay in its communication (via schools) following the attack, in addition to following the advice to cancel the card used to pay, those who believe they may be affected by this kind of attack should look out for the following indicators:

• Any suspicious transactions shown on payment card statements and/or funds missing from a bank account.
• Receipt of ransomware messages or fake antivirus messages.
• The appearance of unwanted browser toolbars or unexpected software installs.
• An unfamiliar search history in a browser.
• Re-directions of internet searches and frequent, random popups onscreen.
• Reports that friends have received social media invitations that have not been sent.
• Online passwords not working.
• The mouse moving between programs and making selections.

Vigilance

After a cyber-attack, it is not uncommon for the victims to be targeted quickly again by those pretending to be helping them to recover from the attack, with a view to stealing money and details.  For example, attackers in this case may target affected parents/guardians pretending to be from the school, the police, or Action Fraud, and may ask for personal details to help with their enquiries. Those who have/may have been victims of a recent cyber attack should, therefore, be extra vigilant for this kind of social engineering and fraudulent activity.

Further Steps

There are steps that we can all take as individuals and businesses to protect our personal data from cyber-criminals, particularly if we suspect that our details may have been stolen in an attack.  These steps could include:

• Regularly reviewing financial account statements and credit reports, and reporting any suspicious activity to the financial institution/company concerned, the police, and Action Fraud.  It may be useful to obtain a free copy (30-day free trial) of your credit report from the major credit reporting agencies e.g. Equifax, to help spot any unusual activity.
• Consider placing a fraud alert on your credit report. It is free and will stay on your credit file for at least 90 days. An alert keeps creditors informed of any possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name.
• Consider placing a security freeze to stop any new credit from being opened in your name without a special security freeze PIN, and to stop others from accessing your credit report without your consent.
• Check whether your email address has been compromised in any known previous attacks by going to https://haveibeenpwned.com/.

Plans In Place

For businesses, in addition to taking steps to maintain day-to-day cyber defences, it is important to have realistic, workable plans in place such as a Cyber Resilience Plan to prepare for, respond to and recover from cyber-attacks. Business continuity planning and disaster recovery plans can mean the difference between the life and death of a business after a serious attack.

Looking Ahead

URL manipulation/URL rewriting and form-jacking attacks are becoming more frequent and educational institutions along with other large organisations are likely to be considered to be lucrative, softer targets.  The hackers involved had to find a way into the website in order to manipulate the URL and, as previous (similar) attacks have shown, this can be through chatbots, previously compromised accounts, phishing attacks and other means. Businesses and organisations therefore need to take a holistic approach and make sure that security measures are taken and maintained across the board as one small incident or loophole can sometimes lead to much bigger and successful attacks.

Contact our friendly Technical Support Team at Paradise Computing for further help or advice.