Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Over the past month, starting September 7, the hackers’ online credit card skimmers were active on 3,126 online shops hosted on Volusion, Trend Micro’s security researchers report.

One of the websites affected by this incident is the Sesame Street Live online store, reveals Marcel Afrahim, a researcher at Check Point.

The malicious code was injected into a JavaScript library provided by Volusion to their clients. The code was designed to load JavaScript stored on a Google Cloud Storage service, representing an almost identical copy of the legitimate library, but with the credit card skimmer carefully integrated into it.

The code was meant to copy personal information and credit card details submitted by users and send all the data to an exfiltration server belonging to the attackers.

Analysis of the compromised library has revealed that the attackers carefully integrated the code into the original script, to ensure it is part of the execution flow of the program. The code is as simple as possible, so as to make it difficult to identify, and the exfiltration server (“volusion-cdn[.]com”) is similar to a Volusion domain.

Given the hackers’ modus operandi, Trend Micro’s security researchers believe that the attack has been orchestrated by Magecart Group 6, previously identified as the notorious threat actor FIN6. Moreover, the code employed showed similarities with that used in FIN6’s previous attacks on British Airways and Newegg, the researchers say.

In addition to injecting the code into the library, the attackers integrated it into the original function of jQueryUI code executed as part of the original execution flow. Furthermore, they used a similar coding style with the original to make the injection look more like a part of the legitimate source code.

The script loaded from Google Cloud Storage contains mainly code from the library “js-cookie” version 2.2.1, but with the credit card skimmer integrated into it. The code was designed to execute both at mouse click and touch.

“The skimmer copies the information on the entire payment form: the victim’s name, address, phone number, email address, and credit card details (the number, cardholder name, expiration month, expiration year, and CVV number),” Trend Micro explains.

The security researchers contacted Volusion soon after discovering the Magecart skimmer and the company says it has already removed the malicious code and that the issue has been addressed.

“Thousands of organizations have offloaded the work and the risk for processing eCommerce transactions to third parties like Volusion. The concentration of credit card data in one place makes for an attractive target. Data shows that since the introduction of EMV or chip cards, fraud has actively moved from card-present to card-not-present, or from the point of sale systems to online eCommerce. We’ve made it harder, though not impossible, to create counterfeit cards, and criminals have shifted their attention to easier avenues of attack,” Tim Erlin, VP of product management and strategy at Tripwire, told SecurityWeek in an emailed comment.

Related: Magecart Group Tied to Cobalt Hackers

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.