Magecart: The cloud-based online website hosting platform Volusion has been breached in what is being believed to be the most recent Magecart campaign. Confirmed by researchers at Check Point, TrendMicro, and RiskIQ, Magecart is the generic term that is used for compromising a website and placing a credit card skimmer on them. In this case, threat actors managed to gain access to the Google Cloud infrastructure that Volusion uses and modified a JavaScript file as well as included malicious code that would log credit card details for the attackers. The compromised file is hosted at a separate web address and is loaded into Volusion online stores. One of the main websites that were using Volusion was the official online website for Sesame Street, where researcher Marcel Afrahim broke down the attack. The website uses a single page checkout where everything seems to be legitimate except for an external JavaScript file that is being loaded from a Google Cloud storage domain, which has been known to be utilized by attackers in the past. These storage domains are a RESTful online file storage web service used for storing and accessing data on a Google Cloud Platform. Anyone can sign up for these and choose a unique name. Initially, the researcher found it odd that there was a JavaScript file being loaded from randomly named storage, which is what prompted them to look further. On the surface, the JavaScript file looked like an open-source project that would not raise an alarm, but after looking deeper into the file it was found that it could read the credit card data that was being entered on the website. After a series of checks, base64 encodes the data along with serialization and simple shift operation, preventing the data from being revealed. The data is then stored in the browser’s session storage, which is like local storage, but it gets erased when the session expires. The second part of the external JavaScript file reads the data from the browser storage and posts it to a server that is run by the attacker. The attacker went through various steps to make the traffic look standard for this attack, managing to get the file to load in the website by dynamically injecting it into the page. The code claims to be used for User Interface (UI) navigation, but an additional script is what loads the secondary malicious script that is being used by the attacker.
Analyst Notes
The case listed above was for one particular website, sesamestreetlive[dot]com, but it is likely this is the same way that other Volusion-abused websites are being attacked. In a press release last month, Volusion was quoted as saying they have 20,000 different clients, but only 6,500 of those have been confirmed to be compromised. It is possible that in the coming weeks we will learn that this attack compromised many more websites. There are many different ways to bypass putting actual credit card information into these websites, such as using a prepaid credit card or online credit cards or gift cards, which could help in the event of a breach at a company. People who believe they used any sites that were affected should monitor their bank accounts and credit cards for any suspicious or fraudulent traffic.
