10 October 2019

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers compromised the infrastructure of Volusion cloud-based e-commerce platform to infect customer checkout pages with malicious JavaScript code that pilfers payment card data. The info stealing code was found to be embedded in a JavaScript file that is part of the Volusion e-commerce software. It is estimated that more than 6,500 sites are affected, but given the Volusion claim it has more than 20,000 customers, that number could be even higher.

The compromise was discovered by Check Point security researcher Marcel Afrahim while shopping on Sesame Street Live Store, which sells various merchandise from the popular kids show. The site is build with Volusion’s All-in-One E-commerce Website Builder and Volusion even provides the nameservers. On the checkout page the researcher had noted a strange javascript file named 'resources.js' included in a bucket called ‘volusionapi’ that was loaded from storage.googleapis.com.

For those unaware, storage.googleapis.com is a Google Cloud Storage domain name, which is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure. Anyone can signup and chose a unique bucket name and serve content with the performance and scalability of Google’s cloud. The odd part was that the file was the only resource loaded from a source other than 'sesamestreetlivestore.com' or 'volusion.com' affiliated websites.

'Resources.js' is a seemingly innocuous JavaScript API called ‘JavaScript Cookie’ designed for handling cookies, but in reality the script reads the values typed in the fields for credit card information, encodes it in Base64 and stores it in the browser's temporary 'sessionStorage' with the name '__utmz_opt_in_out'. It then is exfiltrated to 'volusion-cdn.com/analytics/beacon' - the attacker's domain pretending to look like it was part of Volusion's infrastructure.

“While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal,” the researcher said.

As to how did the script get into the page in the first place, Afrahim explained that it was done via the 'vnav.js' JavaScript, which is used for navigating the UI menu.

“The code itself is claiming to be jQuery UI — v1.10.3, used for navigation UI menu, but there is the addition of the script to load the secondary malicious script to post data via a third script,” the researcher said.

Quick search for the domains containing the tainted Volusion JavaScript revealed 6593 web pages that are probably hosted by Volusion and might be affected.

Above-mentioned incident falls into category of so called Magecart attacks or web card skimming, where cybercriminals steal payment card details from websites and e-commerce platforms. These types of attacks have been happening for nearly a decade, but in the past two years they have intensified. According to a latest RiskIQ report, over the last few months card-stealing scripts were spotted on more than 18 000 websites.

 

 

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019