Up to 20,000 ecommerce websites at risk of Magecart attacks following Volusion server compromise

The attack targeted at least 6,500 online stores - possibly as many as 20,000 - including the Sesame Street store

A Magecart attack on cloud infrastructure provider Volusion has endangered the debit and credit card details of thousands of online shoppers.

The attack, which has been confirmed by multiple cyber security firms, targeted at least 6,500 online stores including one for Sesame Street, which sells merchandise from a popular kids show. However, as many as 20,000 online stores worldwide could be affected.

According to the online post published on Medium by Check Point security researcher Marcel Afrahim, hackers infiltrated Volusion's Google Cloud infrastructure earlier this week, and planted a piece of malicious code in a JavaScript fie on Volusion's server. The code was designed to transfer credit card details entered into online forms.

https://twitter.com/marcelmalware/status/1181597511087198209?ref\\_src=twsrc%5Etfw

The compromised JavaScript file was hosted at https://storage.googleapis.com/volusionapi/resources.js, and was loaded on the websites of Volusion-based stores via the /a/j/vnav.js file.

The details of online stores that confirmed to have been affected due to the security breach can be viewed here.

Security researchers described the breach as Magecart attack - also known as 'web skimming' - which are a specific type of cyber attack in which attackers attempt to steal credit card details of shoppers from e-commerce websites, rather than ATMs.

The number of Magecart attacks has intensified over the past two years. In recent months, more than 17,000 online stores have been found to contain card-stealing malicious scripts, according to security researchers at RiskIQ.

Magecart threat actors usually exploit security flaws in self-hosted stores to implant skimming scripts to steal card details of buyers. However, sometimes, hackers also succeed in infiltrating cloud-based platforms (like Volusion) or firm providing ads, analytics, or other services to online stores.

Magecart breaches can be difficult to detect as many companies remain unaware that their servers have been compromised by attackers.

That allows the hacks to persist for weeks or even months and years without being noticed because the changes to JavaScript code are subtle and hard to spot for the untrained eye. However, organisations can deploy automated tools to regularly scan sensitive pages for any small unapproved change.

A Magecart attack on British Airways last year compromised credit card details of around 500,000 customers. It is now facing a £183 million fine under GDPR and a class-action lawsuit from affected customers.

Last month, security researchers warned that threat actors have been bringing old Magecart web domains back to life in renewed malvertising and ad fraud campaigns

Cyber security firm Malwarebytes had earlier warned e-commerce companies about a summer surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems. The firm claimed that it had blocked nearly 65,000 web-skimming Magecart data theft attempts in July alone.