How a Magecart Attack Works and How Volusion Was Hacked

Magecart attacks are getting too common. Nobody really has the answers and large companies and systems are getting hacked weekly now. Here’s our recap of how Magecart attacks work.

What Happened? 

Hackers were able to compromise Volusion’s Google Cloud environment and load malicious skimmer code onto more than 6,500 customer sites. The cloud-based e-commerce platform Volution was infiltrated by Magecart attackers and stole payment information from customer websites. 

Magecart Group 6 also referred to as FIN6 was identified as the likely perpetrators by security firm Trend Micro. This is the same group behind the high-profile Magecart attacks on British Airways, Newegg, and Ticketmaster in 2018. They have been active since 2015 and go after high-value U.S. and European targets from which they can collect thousands of credit card information at once. 

Magecart attacks started when online credit card skimmers began running rampant in stores using the Magento shopping cart system. The attacks continue to work in a similar way by targeting the checkout process, but they have now hit Volusion in early October 2019. 

How Was Volution Hacked? 

Volusion attackers targeted the infrastructure of one company to compromise thousands of online stores’ checkout pages.

Shortly after the discovery, Volusion issued a statement confirming it was alerted to the security breach and resolved the problem “within a few hours of notification.” Now they are helping secure accounts and are working with authorities on the matter. Their official statement said,

“A limited portion of customer information was compromised from a subset of our merchants,” a spokesperson says. “This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter.”

The first to notice the breach was Marcel Afrahim, a security researcher with Check Point, on his virtual shopping trip to the Sesame Street Live Store. The store is built with Volusion’s All-in-One E-commerce Website Builder. 

During checkout, he noticed a JavaScript file being loaded from storage.googleapis.com with the bucket name “volusionapi” but it was the only external JavaScript being loaded from a random storage site, not Volusion’s Google Cloud.

Afrahim explained that “storage.googleapis.com is a Google Cloud Storage domain name for a file storage web service. Anyone can register, pick a bucket name, and serve their own content.”

This means that a code revealed that a script was posting credit card information from the checkout page to another domain name and calling it “JavaScript Cookie.” 

Afrahim pointed out that even an analyst may look past a domain name like this which was designed to blend in with Volusion. 

A GET request to Volusion-Cdn[.]com redirects to a legitimate Volusion CDN. However, he discovered the domain was only registered on September 7 and has nothing in common with Volusion infrastructure or name servers.

How Are Others Vulnerable To Being Hacked?

This isn’t the first time that attackers have taken advantage of legitimate service providers to spread malicious code. 

  • In April, another similar credit card skimming campaign hit the online stores of several college campuses.
  • In May, obfuscated JavaScript was injected into three marketing services to scrape information, including login data and credit card details, from thousands of websites. Anyone who visited a website that used the three tools was affected in the attack.
  • In September, the booking websites of chain-brand hotels were targeted, marking the second time Trend Micro saw attackers hitting e-commerce service providers instead of individual shops.

 

You are most vulnerable in the most accessible entry point to your website. Many have targeted misconfigured AWS accounts because they’re the most obvious opening likely to go unnoticed, however,  they’ll go after the vector that will give them the highest payout with the fewest resources.

Afrahim is said to have found nearly 6,600 web pages that appear to be hosted by Volusion, although the e-commerce provider’s website states over 30,000 merchants are using its services, so the number of infected sites could be much higher.

Security Implications and What You Should Do

An attacker could launch a Magecart operation by purchasing an exploit and injecting malicious JavaScript onto a security-lax e-commerce website. Volusion tends to be used by smaller stores so online retailers can expect these attacks to continue. 

There has been a correlation between the proliferation of chip systems that make physical card skimming harder and the rise of online skimming attacks. The key to stopping Magecart attacks such as this one is to actively monitor e-commerce sites and other sites for changes in this.

Whether you’re a payment solution provider, the store owner, or the client, being aware of shady domain names like this is something you should be doing. Businesses have to worry not just about their own internal security, but also the security of third-party commerce websites with sensitive data. 

Since 1999, Volusion has typically been considered one of the safest and most stable e-commerce options for small and medium-sized businesses and has recently undergone major improvement to their services. By compromising Volusion’s internal network, the attackers might have obtained the “keys to the kingdom” that allowed them to steal credit card details from all of Volusion’s customers making it clear that any established company can be compromised. 

What Should I Do If My Volusion Site Was Hacked?

We got this question from many clients. Volusion already sent a notice to all the customers who were affected on V1 of their software. We do not believe that you should email all your store customers informing them of what happened. This would definitely affect your sales and destroy the trust of a lot of your customers. You should, however, do the following;

  1. Contact Volusion emailing security (at) Volusion.com and ask them if your store was directly affected and if any credit cards were stolen.
  2. Continue checking Google to make sure that Google does not display your domain name as “Insecure”. 
  3. Re-evaluate all the 3rd party scripts and JS on your site if you run a Volusion site.
  4. Contact your merchant account to ask if there are any specific security elements that you should address or consider. (Be pro-active.)
  5. Continue monitoring your site and template. 

 

For help with identifying and resolving security issues on your website, web system, e-commerce site, API or web services, contact us. We can help.