Credit card info of thousands of online stores at risk following hit on hosting firm

UPDATED Thousands of e-commerce sites were left at risk after attackers compromised the infrastructure of Volusion, a vendor of cloud-hosted online stores, with credit card skimming code.

An estimated 6,500 online retail sites were affected by the breach, with the Sesame Street Live online store among the confirmed victims.

The as-yet unidentified cybercriminals behind the breach planted malicious JavaScript code that logged payment card details entered into online forms using the increasingly notorious Magecart technique.


ANALYSIS Magecart: How a single skimming case evolved into widespread credit card theft


Security researcher Marcel Afrahim uncovered the breach, the causes and scope of which he explains in a detailed blog post.

Afrahim became suspicious after visiting the official Sesame Street store and discovering external JavaScript being loaded from a randomly named storage silo via Google Cloud Storage onto the checkout page of the e-commerce website.

Open Sesame

US-based Volusion confirmed problems hours after news of the breach broke on Wednesday, adding overnight that it had removed the malicious module from its environment.

“We identified and removed the offensive malware yesterday and prevented future unauthorized access,” the firm said in an update to its official Twitter account.

“Our team has increased monitoring and alerting for all sites and working with law enforcement on this matter. We will continue to enhance our systems to ensure security for all.”

The Daily Swig asked Volusion to comment on the cause of the breach and the number of its 20,000 customers affected by the incident. In response, the firm offered a general statement stressing that it had quickly resolved the problem.

“Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. We are coordinating with authorities on this matter, and continue to enhance our systems that detect and prevent unauthorized access to user accounts,” it said.

“A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter.

“Volusion has taken action to help secure accounts, and we are continuing to monitor this matter in order to assure the security of our merchants,” it concluded.


YOU MIGHT ALSO LIKE Criminal turf war may be brewing after Magecart double whammy


This latest attack is one example of a growing threat: Magecart skimming code has been detected on websites over two million times, according to a study from security firm RiskIQ.

“Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups,” the company said. “RiskIQ has detected 9,688 vulnerable Magento hosts.”

Using cloud-based platforms like Volusion is no more inherently risky than other e-commerce provision options, according to Martin Jartelius, CSO at Outpost24.

“The risk of using a cloud-based solution is in no way different from using other hosted solutions that include active content on your website,” Jartelius explained.

“If you trust a third party, you trust them no matter where they happen to operate the domain you include content from.”

Javvad Malik, security awareness advocate at KnowBe4, added: “We’ve seen many attacks over the years that look to inject malicious code into trusted settings, such as into mobile phone App stores, Wordpress plugins, or other widgets.

“This attack against Volusion follows the same methodology where by compromising the infrastructure, all underlying sites and users become vulnerable.”


This story has been updated to add comment from Volusion.


INSIGHT Ransomware still dominates the cyber threat landscape in 2019 – Europol report