For those unaware, storage.googleapis.com is a Google Cloud Storage domain name, which is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure. Anyone can signup and chose a unique bucket name and serve content with the performance and scalability of Google’s cloud. The odd part was that the file was the only resource loaded from a source other than 'sesamestreetlivestore.com' or 'volusion.com' affiliated websites.
“While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal,” the researcher said.
“The code itself is claiming to be jQuery UI — v1.10.3, used for navigation UI menu, but there is the addition of the script to load the secondary malicious script to post data via a third script,” the researcher said.
Above-mentioned incident falls into category of so called Magecart attacks or web card skimming, where cybercriminals steal payment card details from websites and e-commerce platforms. These types of attacks have been happening for nearly a decade, but in the past two years they have intensified. According to a latest RiskIQ report, over the last few months card-stealing scripts were spotted on more than 18 000 websites.