Magecart Attack on Volusion Highlights Supply Chain Dangers

  /     /     /  
Publicated : 23/11/2024   Category : security


Magecart Attack on Volusion Highlights Supply Chain Dangers


Attackers compromised Volusions Google Cloud environment to load malicious skimmer code onto more than 6,500 customer sites.



Magecart attackers have infiltrated cloud-based e-commerce provider Volusion to successfully infect at least 6,500 customer websites with malicious code designed to lift payment card information. To do this, they had to first break into Volusions Google Cloud environment.
Volusion is the latest target of Magecart, a threat that was first spotted a decade ago but has been
ramping up
over the past couple of years as attackers explore new vectors for
compromise
and it becomes easier to rent a skimmer kit, track malicious activity, and automate attacks at scale. Skimmers have been detected on more than two million sites, RiskIQ
reports
.
During our investigations of Magecart, we have found that the attackers seem more experienced and thoughtful than many other skimmer groups, Trend Micro researchers say in an interview with Dark Reading. There are multiple Magecart actor groups who continually shift their tactics to improve their infection rates and revenue opportunities.
An attacker could launch a
Magecart
operation by purchasing an exploit and injecting malicious JavaScript onto a vulnerable e-commerce website. In the case of Volusion, attackers targeted the infrastructure of one company to compromise thousands of online stores checkout pages. 
Volusion has issued a statement confirming it was alerted to a security incident and resolved the problem within a few hours of notification. It has taken steps to help secure accounts and is working with authorities on the matter.
A limited portion of customer information was compromised from a subset of our merchants, a spokesperson says. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter.
Marcel Afrahim, a security researcher with Check Point, first spotted a red flag on his virtual shopping trip to the Sesame Street Live Store. The store is built with Volusions All-in-One E-commerce Website Builder; Volusion also provides the stores name servers. During checkout, he noticed a JavaScript file being loaded from storage.googleapis.com with the bucket name volusionapi. It was the only external JavaScript being loaded from a random storage site.
As Afrahim explains, storage.googleapis.com is a Google Cloud Storage domain name for a file storage web service. Anyone can register, pick a bucket name, and serve their own content.
A closer look at this code revealed a script that was posting credit card information from the checkout page to another domain name and calling it JavaScript Cookie. The code was masked as a simple API for handling cookies, but analysis revealed additional code with two sections. One reads the values entered in Credit Card fields; after a series of checks, its encoded in Base64 and stored in sessionStorage, which is cleared when a page session ends.
The second part of the script reads the stored data and posts it to the attackers primary server:
hxxps://volusion-cdn.com/analytics/beacon
. As Afrahim points out, even an analyst may look past a domain name like this, designed to blend in with Volusion. A GET request to Volusion-Cdn[.]com redirects to a legitimate Volusion CDN. However, he discovered the domain was only registered on September 7 and has nothing in common with Volusion infrastructure or name servers.
While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal, Afrahim writes in a
blog post
on his findings. Further analysis revealed the Sesame Street Store is not the only one affected by the malicious JavaScript. Most likely, Afrahim says, any e-commerce website hosted on Volusion is running malicious code and sharing credit card input with the external attacker-controlled domain.
The Volusion incident can most likely be attributed to Magecart Group 6, also known for last years attack on
British Airways
, says Jerome Segura, head of threat intelligence at Malwarebytes. They target sites that generate a lot of transactions, which helps them maximize their attack in a short time frame, he explains.
Group 6 was recently identified as the FIN6 APT. Part of their tactics, techniques, and procedures involves creating exfiltration domains that mimic their victim, which aligns with their efforts to blend in and evade detection.
Service Providers Are Hot Targets
This isnt the first time that attackers have taken advantage of legitimate service providers to spread malicious code. Back in May, attackers
injected
obfuscated JavaScript into three marketing services to scrape information, including login data and credit card details, from thousands of websites. Anyone who visited a website that used the three tools was affected in the attack.
A September Magecart attack
targeted
the booking websites of chain-brand hotels, marking the second time Trend Micro saw attackers hitting e-commerce service providers instead of individual shops. In May, another skimming
campaign
hit the online stores of college campuses.
Adversaries are after the most accessible entry point. Many have targeted misconfigured AWS accounts because theyre the most obvious opening that will likely be unnoticed, but ultimately theyll go after the vector that will give them the highest payout with the fewest resources.
Related Content:
Utilities Operational Networks Continue to Be Vulnerable
7 Considerations Before Adopting Security Standards
Beyond the Horde: The Uptick in Targeted Attacks (And How to Fight Back)
6 Active Directory Security Tips for Your Poor, Neglected AD
Check out 
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Can the Girl Scouts Save the Moon from Cyberattack?


Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Magecart Attack on Volusion Highlights Supply Chain Dangers