10 October 2019

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers compromised the infrastructure of Volusion cloud-based e-commerce platform to infect customer checkout pages with malicious JavaScript code that pilfers payment card data. The info stealing code was found to be embedded in a JavaScript file that is part of the Volusion e-commerce software. It is estimated that more than 6,500 sites are affected, but given the Volusion claim it has more than 20,000 customers, that number could be even higher.

The compromise was discovered by Check Point security researcher Marcel Afrahim while shopping on Sesame Street Live Store, which sells various merchandise from the popular kids show. The site is build with Volusion’s All-in-One E-commerce Website Builder and Volusion even provides the nameservers. On the checkout page the researcher had noted a strange javascript file named 'resources.js' included in a bucket called ‘volusionapi’ that was loaded from storage.googleapis.com.

For those unaware, storage.googleapis.com is a Google Cloud Storage domain name, which is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure. Anyone can signup and chose a unique bucket name and serve content with the performance and scalability of Google’s cloud. The odd part was that the file was the only resource loaded from a source other than 'sesamestreetlivestore.com' or 'volusion.com' affiliated websites.

'Resources.js' is a seemingly innocuous JavaScript API called ‘JavaScript Cookie’ designed for handling cookies, but in reality the script reads the values typed in the fields for credit card information, encodes it in Base64 and stores it in the browser's temporary 'sessionStorage' with the name '__utmz_opt_in_out'. It then is exfiltrated to 'volusion-cdn.com/analytics/beacon' - the attacker's domain pretending to look like it was part of Volusion's infrastructure.

“While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal,” the researcher said.

As to how did the script get into the page in the first place, Afrahim explained that it was done via the 'vnav.js' JavaScript, which is used for navigating the UI menu.

“The code itself is claiming to be jQuery UI — v1.10.3, used for navigation UI menu, but there is the addition of the script to load the secondary malicious script to post data via a third script,” the researcher said.

Quick search for the domains containing the tainted Volusion JavaScript revealed 6593 web pages that are probably hosted by Volusion and might be affected.

Above-mentioned incident falls into category of so called Magecart attacks or web card skimming, where cybercriminals steal payment card details from websites and e-commerce platforms. These types of attacks have been happening for nearly a decade, but in the past two years they have intensified. According to a latest RiskIQ report, over the last few months card-stealing scripts were spotted on more than 18 000 websites.

 

 

Back to the list

Latest Posts

North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019
New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

The ZeroCleare malware bears some similarity with the infamous Shamoon wiper.
5 December 2019
TrickBot operators set their sights on Japanese banks ahead of holiday season

TrickBot operators set their sights on Japanese banks ahead of holiday season

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks.
4 December 2019