6,500 online stores breached in Volusion supply-chain attack

Customer credit card details were targeted using a malicious piece of JavaScript.
9 October 2019

The breach was first discovered on the Sesame Street online store. Source: Shutterstock

More than 6,500 online stores have been impacted by a cyberattack, which could have resulted in the theft of thousands of customers’ payment card details. 

The breach was a result of a supply-chain attack, with attackers compromising the infrastructure of Volusion, a provider of cloud-hosted online stores, which last month claimed it had 20,000 customers in a press release. 

Shoppers have spent more than US$28 million in transactions via the solution, making more than 185 million orders.

ZDNet published a link to the full list of 6,593 sites that had been breached. One of the more notable victims was the official Sesame Street online store— where an online researcher discovered the issue— among small retailers of goods such as laptop batteries, vaping supplies, and jewelry.  

Volusion presented concentrated targets

“The times of ‘we are just a small store – hackers won’t target us’ are over,” said Comforte AG’s Product Manager, Felix Rosbach on the news. Wherever they’re stored, payment card details are “extremely valuable data sets for fraudsters,” he said. 

“When hackers are able to breach cloud-based platforms— like Volusion in this case— they gain access to a huge amount of data sets by targeting hundreds of stores with a single attack.”

The incident was discovered by Marcel Afrahim, a researcher of endpoint security and malware, who unexpectedly uncovered the code while browsing the Sesame Street online store. In a Medium post (entitled ‘[…] How the cookie monster is stealing credit card info’), Afrahim explained how hackers gained access to Volusion’s Google Cloud infrastructure.

The researcher claims to have found the issue while toy shopping. Source: Shutterstock

Once there, they were able to modify a JavaScript file that includes malicious code that logs details entered in online forms and injects it surreptitiously, enabling for the collection of payments data being entered at checkout.  

The discovery has been regarded as a ‘classic’ Magecart supply-chain attack, where hackers ‘skim’ credit card data from online checkouts. While these attacks have been ongoing for several years, ZDNet reports they have “intensified” in the last few years, citing a RiskIQ report that claimed to have spotted ‘skimmers’ or card-stealing scripts on more than 18,000 websites in the last few months.  

The majority of Magecart attacks target self-hosted and outdated online shops, which aren’t sufficiently protected. However, compromising cloud providers such as Volusion, as well as third-party apps, widgets and ads can provide access for malicious code to be injected. 

Cloud service supply-chain attacks

While moving to the cloud service provider may make a business more secure, Cybereason’s Chief Security Officer, Sam Curry said customers must also consider “cost to break” as the best measure of practical security.

“If moving to the cloud made you more secure— or made you more expensive to break— then being in a cluster with other valuable targets will make the other part of the equation go up too.

“In the calculation of the attacker, it’s a question of when, not if, an attack is coming after the ratio crosses a certain point,” Curry said. 

Tripwire VP, Tim Erlin agreed, adding that while offloading work for processing transactions is an investment in convenience and security (in theory), the concentration of credit card data in one place makes providers like Volusion an “attractive target”. 

The founder and CEO of web security company ImmuniWeb, Ilia Kolochenko, said the breach was “one more sharp reminder” about the risks of supply-chain attacks from third-parties and the cloud. 

“Properly implemented continuous security monitoring could have prevented this incident,” Kolochenko said, adding that while it was too premature to make any conclusions, one thing is clear; “Volusion, breached stores, their customers and banks that issued the compromised cards, are doomed for expensive and protracted litigation with numerous counter and cross-claims.”

Update (October 10, 2019): A Volusion spokesperson contacted TechHQ to state that the firm was alerted of a data security incident and “can confirm that it was resolved within a few hours of notification”; “We are coordinating with authorities on this matter, and continue to enhance our systems that detect and prevent unauthorized access to user accounts.”

Volusion added that a “limited portion” of customer information was compromised from a subset of its merchants, which included credit card information but no other personally identifying details.

“We are not aware of any fraudulent activity connected to this matter,” the firm said, adding; “Volusion has taken action to help secure accounts, and we are continuing to monitor this matter in order to assure the security of our merchants.”