Hackers Compromise Volusion, Steal Card Details From 6,500 Websites

Volusion, a provider of cloud-hosted online stores has been affected by a credit card stealing attack, it has been reported.

The breach is potentially very serious, as Volusion is known to have 20,000 small business customers and at least 6,500 of them have been affected including the the Sesame Street store.

The Magecart attack was noticed by Check Point security researcher Marcel Afrahim, who then published a blog on Medium about the issue. The attack has since been confirmed by other security firms.

Credit card data

Afrahim noticed that there was an “odd javascript file being loaded from storage.googleapis.com with interesting bucket name of volusionapi.”

Afrahim wrote that hackers had infiltrated Volusion’s Google Cloud infrastructure earlier this week, and planted a piece of malicious code in that JavaScript file on Volusion’s server.

The code was designed to transfer credit card details entered into online forms, and it is feared that the debit and credit card details of thousands of online shoppers are now at risk.

“The compromise is not only unique to Sesame-Street Store and most likely any e-commerce website hosted on Volusion is probably running malicious code and posting the credit card info of the consumers to the outsider domain,” warned Afrahim.

“The most obvious threat actor that is currently famous for card skimming and compromising over 2 M e-commerce websites is Magecart which has the history of using Vultr Holdings data centers and using public cloud storage to host their malicious scripts,” he added.

The Magecart group were behind the “skimming” code on British Airways’ website in 2018, and RiskIQ recently warned that Magecart hacks had increased by 20 percent in the last year.

Wake up call

A number of security experts expressed alarm at the hack.

“The Volusion card skimming breach is yet another wake up call to the industry and all cloud service providers to keep increasing cost to break, invest in making breach extent as contained as possible and for God’s sake keep Bert and Ernie safe!” said Sam Curry, chief security officer at Cybereason.

“The best measure of practical security is cost to break, and the equation is simple: value of target divided by cost to break,” said Curry. “If moving to the cloud made you more secure (i.e. made you more expensive to break) then being in a cluster with other valuable targets will make the other part of the equation go up too. In the calculation of the attacker, it’s a question of when, not if, an attack is coming after the ratio crosses a certain point.”

Another expert said this type of attack was nothing new, but the danger is that the hackers have gone after a third party that has thousands of customers.

“This is another case of a Magecart attack against a third party provider used by thousands of sites, rather than a specific store,” said Richard Walter, CTO of Censornet. “In this case, hackers gained access to Volusion’s Google Cloud architecture and modified a Javascript file to include malicious code. In doing so, attackers may have gained access to all of the highly sensitive card data that Volusion has access to.”

“It’s not a new type of attack, we saw the same techniques used against British Airways and Ticketmaster last year,” said Walter. “However, the big issue here is that hackers have gone after a third party used by thousands of websites. Already it is confirmed that 6,500 of the sites Volusion is used on have been compromised by attackers.”

“The use of cloud services is now ubiquitous and providers urgently need to gain security control over their services, as it is the companies using Volusion that will ultimately be held responsible,” said Walter. “This hack goes to show that a failure to do so will cost organisations, and their customers, dearly.”

Third party caution

Meanwhile another expert echoed that e-commerce websites have to be very careful about the use of third parties.

“While a website might appear to wholly belong to one brand to the consumer, in reality most websites include multiple plugins from different suppliers,” explained Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies.

“This breach demonstrates the potential damage that can be done if just one trusted third party provider is compromised,” said Galloway. “In this case, Volusion has 20,000 customers, so 20,000 websites could potentially be compromised.”

“E-commerce sites are at particular risk to this type of attack, because of the highly valuable card data that third parties have access to, which makes them a target for hackers,” said Galloway. “However, it has to be remembered that more websites than you think now contain an e-commerce function. For example, this same Magecart attack technique was used to compromise British Airways last year.”

“While it is the third party that is at fault, it will be the company that owns the website that will ultimately be held responsible for any misuse of customer data,” said Galloway. “While pulling out plugins from a website isn’t a realistic solution, all organisations should regularly run security assessments on their web applications to uncover vulnerabilities such as these and mitigate them quickly.”

“From the point of view of consumers who could be affected, they should closely monitor their bank statements for any unusual activity and alert their bank immediately if they notice any,” Galloway concluded.”

Do you know all about security? Try our quiz!