Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Magecart hackers have been gathering sensitive information from thousands of online shops after compromising top ecommerce platform and service provider Volusion.

Over the past month, starting September 7, the hackers’ online credit card skimmers were active on 3,126 online shops hosted on Volusion, Trend Micro’s security researchers report.

One of the websites affected by this incident is the Sesame Street Live online store, reveals Marcel Afrahim, a researcher at Check Point.

The malicious code was injected into a JavaScript library provided by Volusion to their clients. The code was designed to load JavaScript stored on a Google Cloud Storage service, representing an almost identical copy of the legitimate library, but with the credit card skimmer carefully integrated into it.

The code was meant to copy personal information and credit card details submitted by users and send all the data to an exfiltration server belonging to the attackers.

Analysis of the compromised library has revealed that the attackers carefully integrated the code into the original script, to ensure it is part of the execution flow of the program. The code is as simple as possible, so as to make it difficult to identify, and the exfiltration server (“volusion-cdn[.]com”) is similar to a Volusion domain.

Given the hackers’ modus operandi, Trend Micro’s security researchers believe that the attack has been orchestrated by Magecart Group 6, previously identified as the notorious threat actor FIN6. Moreover, the code employed showed similarities with that used in FIN6’s previous attacks on British Airways and Newegg, the researchers say.

In addition to injecting the code into the library, the attackers integrated it into the original function of jQueryUI code executed as part of the original execution flow. Furthermore, they used a similar coding style with the original to make the injection look more like a part of the legitimate source code.

The script loaded from Google Cloud Storage contains mainly code from the library “js-cookie” version 2.2.1, but with the credit card skimmer integrated into it. The code was designed to execute both at mouse click and touch.

“The skimmer copies the information on the entire payment form: the victim’s name, address, phone number, email address, and credit card details (the number, cardholder name, expiration month, expiration year, and CVV number),” Trend Micro explains.

The security researchers contacted Volusion soon after discovering the Magecart skimmer and the company says it has already removed the malicious code and that the issue has been addressed.

“Thousands of organizations have offloaded the work and the risk for processing eCommerce transactions to third parties like Volusion. The concentration of credit card data in one place makes for an attractive target. Data shows that since the introduction of EMV or chip cards, fraud has actively moved from card-present to card-not-present, or from the point of sale systems to online eCommerce. We’ve made it harder, though not impossible, to create counterfeit cards, and criminals have shifted their attention to easier avenues of attack,” Tim Erlin, VP of product management and strategy at Tripwire, told SecurityWeek in an emailed comment.

Related: Magecart Group Tied to Cobalt Hackers

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets