Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Over the past month, starting September 7, the hackers’ online credit card skimmers were active on 3,126 online shops hosted on Volusion, Trend Micro’s security researchers report.

One of the websites affected by this incident is the Sesame Street Live online store, reveals Marcel Afrahim, a researcher at Check Point.

The malicious code was injected into a JavaScript library provided by Volusion to their clients. The code was designed to load JavaScript stored on a Google Cloud Storage service, representing an almost identical copy of the legitimate library, but with the credit card skimmer carefully integrated into it.

The code was meant to copy personal information and credit card details submitted by users and send all the data to an exfiltration server belonging to the attackers.

Analysis of the compromised library has revealed that the attackers carefully integrated the code into the original script, to ensure it is part of the execution flow of the program. The code is as simple as possible, so as to make it difficult to identify, and the exfiltration server (“volusion-cdn[.]com”) is similar to a Volusion domain.

Given the hackers’ modus operandi, Trend Micro’s security researchers believe that the attack has been orchestrated by Magecart Group 6, previously identified as the notorious threat actor FIN6. Moreover, the code employed showed similarities with that used in FIN6’s previous attacks on British Airways and Newegg, the researchers say.

In addition to injecting the code into the library, the attackers integrated it into the original function of jQueryUI code executed as part of the original execution flow. Furthermore, they used a similar coding style with the original to make the injection look more like a part of the legitimate source code.

The script loaded from Google Cloud Storage contains mainly code from the library “js-cookie” version 2.2.1, but with the credit card skimmer integrated into it. The code was designed to execute both at mouse click and touch.

“The skimmer copies the information on the entire payment form: the victim’s name, address, phone number, email address, and credit card details (the number, cardholder name, expiration month, expiration year, and CVV number),” Trend Micro explains.

The security researchers contacted Volusion soon after discovering the Magecart skimmer and the company says it has already removed the malicious code and that the issue has been addressed.

“Thousands of organizations have offloaded the work and the risk for processing eCommerce transactions to third parties like Volusion. The concentration of credit card data in one place makes for an attractive target. Data shows that since the introduction of EMV or chip cards, fraud has actively moved from card-present to card-not-present, or from the point of sale systems to online eCommerce. We’ve made it harder, though not impossible, to create counterfeit cards, and criminals have shifted their attention to easier avenues of attack,” Tim Erlin, VP of product management and strategy at Tripwire, told SecurityWeek in an emailed comment.

Related: Magecart Group Tied to Cobalt Hackers

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.