Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Over the past month, starting September 7, the hackers’ online credit card skimmers were active on 3,126 online shops hosted on Volusion, Trend Micro’s security researchers report.

One of the websites affected by this incident is the Sesame Street Live online store, reveals Marcel Afrahim, a researcher at Check Point.

The malicious code was injected into a JavaScript library provided by Volusion to their clients. The code was designed to load JavaScript stored on a Google Cloud Storage service, representing an almost identical copy of the legitimate library, but with the credit card skimmer carefully integrated into it.

The code was meant to copy personal information and credit card details submitted by users and send all the data to an exfiltration server belonging to the attackers.

Analysis of the compromised library has revealed that the attackers carefully integrated the code into the original script, to ensure it is part of the execution flow of the program. The code is as simple as possible, so as to make it difficult to identify, and the exfiltration server (“volusion-cdn[.]com”) is similar to a Volusion domain.

Given the hackers’ modus operandi, Trend Micro’s security researchers believe that the attack has been orchestrated by Magecart Group 6, previously identified as the notorious threat actor FIN6. Moreover, the code employed showed similarities with that used in FIN6’s previous attacks on British Airways and Newegg, the researchers say.

In addition to injecting the code into the library, the attackers integrated it into the original function of jQueryUI code executed as part of the original execution flow. Furthermore, they used a similar coding style with the original to make the injection look more like a part of the legitimate source code.

Advertisement. Scroll to continue reading.

The script loaded from Google Cloud Storage contains mainly code from the library “js-cookie” version 2.2.1, but with the credit card skimmer integrated into it. The code was designed to execute both at mouse click and touch.

“The skimmer copies the information on the entire payment form: the victim’s name, address, phone number, email address, and credit card details (the number, cardholder name, expiration month, expiration year, and CVV number),” Trend Micro explains.

The security researchers contacted Volusion soon after discovering the Magecart skimmer and the company says it has already removed the malicious code and that the issue has been addressed.

“Thousands of organizations have offloaded the work and the risk for processing eCommerce transactions to third parties like Volusion. The concentration of credit card data in one place makes for an attractive target. Data shows that since the introduction of EMV or chip cards, fraud has actively moved from card-present to card-not-present, or from the point of sale systems to online eCommerce. We’ve made it harder, though not impossible, to create counterfeit cards, and criminals have shifted their attention to easier avenues of attack,” Tim Erlin, VP of product management and strategy at Tripwire, told SecurityWeek in an emailed comment.

Related: Magecart Group Tied to Cobalt Hackers

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.