Magecart: The cloud-based online website hosting platform Volusion has been breached in what is being believed to be the most recent Magecart campaign. Confirmed by researchers at Check Point, TrendMicro, and RiskIQ, Magecart is the generic term that is used for compromising a website and placing a credit card skimmer on them. In this case, threat actors managed to gain access to the Google Cloud infrastructure that Volusion uses and modified a JavaScript file as well as included malicious code that would log credit card details for the attackers. The compromised file is hosted at a separate web address and is loaded into Volusion online stores. One of the main websites that were using Volusion was the official online website for Sesame Street, where researcher Marcel Afrahim broke down the attack. The website uses a single page checkout where everything seems to be legitimate except for an external JavaScript file that is being loaded from a Google Cloud storage domain, which has been known to be utilized by attackers in the past. These storage domains are a RESTful online file storage web service used for storing and accessing data on a Google Cloud Platform. Anyone can sign up for these and choose a unique name. Initially, the researcher found it odd that there was a JavaScript file being loaded from randomly named storage, which is what prompted them to look further. On the surface, the JavaScript file looked like an open-source project that would not raise an alarm, but after looking deeper into the file it was found that it could read the credit card data that was being entered on the website. After a series of checks, base64 encodes the data along with serialization and simple shift operation, preventing the data from being revealed. The data is then stored in the browser’s session storage, which is like local storage, but it gets erased when the session expires. The second part of the external JavaScript file reads the data from the browser storage and posts it to a server that is run by the attacker. The attacker went through various steps to make the traffic look standard for this attack, managing to get the file to load in the website by dynamically injecting it into the page. The code claims to be used for User Interface (UI) navigation, but an additional script is what loads the secondary malicious script that is being used by the attacker.