Volusion’s shopping cart and analytics platform is one of the most popular for online retailers that sell physical goods, estimated to provide checkout services for about 30,000 merchants. That makes it a natural target for Magecart attacks. One of these groups managed to penetrate Volusion’s online infrastructure in early October, adding malicious code that skims credit card numbers and payment information from stores that use the platform.
As of now thousands of online stores have been confirmed to be compromised, but it’s possible that every store that uses the Volusion software has had payment data skimmed from it. The attack window appears to have been open for about a month from September to October.
The Volusion breach details
Volusion tends to be used by smaller stores; the biggest names on the list of known affected parties are the Sesame Street Live Online store and the official Bob Ross art supply store. In total, security researchers were able to confirm that about 6,500 stores had been compromised.
ZDNet broke the story on October 8, and Volusion indicated that they had patched out the breach in media interviews conducted on October 10. The malicious skimming code was potentially delivered to all of Volusion’s stores during the attack window, which was estimated by security researchers to have begun on September 12. The server that the stolen data was being transferred to was registered on September 7.
The hackers were able to penetrate Volusion’s Google Cloud storage account. ZDNet reports that the attackers altered Javascript code hosted on the platform that allowed them to skim credit card numbers, names, expiration dates and CVVs.
An analysis by security firm Trend Micro indicates that the likely perpetrator is threat actor group FIN6, also referred to as Magecart Group 6. This is the group that was behind the high-profile Magecart attacks on British Airways and Newegg. This group has been active since 2015 and focuses on attacking retailer targets in the United States and Europe, exclusively going after high-value targets from which it can collect thousands of credit card numbers in one attack.
2019: Year of the Magecart attacks
The recent attack on Volusion continues a pattern of Magecart attacks seen throughout 2019.
Though this collection of groups has been operating for several years now, they leapt to international attention in 2018 with high-profile attacks on Ticketmaster, Newegg and British Airways.
While the attacks thus far in 2019 have not hit the same peaks, the overall activity has been significant and steady.
In August, 80 ecommerce sites were compromised in a major Magecart attack. These sites mostly consisted of motorsports companies and smaller retailers of high-end luxury goods.
Using automated tools, Magecart attackers located and exploited a large amount of improperly secured Amazon S3 buckets in July. This led to the compromise of over 17,000 sites.
And ongoing long-term exploitation of the MyPillow and Amerisleep websites spilled over into 2019, with attackers exploiting new vectors such as fake Github accounts.
Cyber security software company RiskIQ conducts ongoing research of Magecart attacks and reports that they detect hundreds per day.
Anti-Magecart security neasures
Online retailers can expect these attacks to continue. There has been a correlation between the proliferation of chip systems that make physical card skimming harder and the rise of online skimming attacks. As Tim Erlin, VP of product management and strategy at Tripwire, notes:
“Thousands of organizations have offloaded the work and the risk for processing eCommerce transactions to third parties like Volusion. The concentration of credit card data in one place makes for an attractive target.
“Data shows that since the introduction of EMV or chip cards, fraud has actively moved from card-present to card-not-present, or from the point of sale systems to online eCommerce. We’ve made it harder, though not impossible, to create counterfeit cards, and criminals have shifted their attention to easier avenues of attack.”
The Volusion Magecart attack happened right in plain sight, demonstrating why criminals have shifting skimming preferences. It’s something that should have been noticed by an IT security team, and could have even been noticed by a particularly attentive and tech-savvy shopper.
The attackers registered a bogus “volusion-cdn” domain to direct the skimmed credit card information to. The name looks legitimate at first glance, and it redirected to an actual Volusion content delivery network. However, it was also the only third-party Javascript file on the page. A minute or so of research would uncover that the domain name had just been registered in September.
The key to stopping Magecart attacks such as this one is to actively monitor sites for changes of this nature. Deepak Patel, security evangelist at PerimeterX, points out that this is something that both payment solution providers and their clients should be doing:
“Magecart attacks compromise third-party vendor code to cast a wider net and harvest personally identifiable information (PII) from unsuspecting users. While Magento is the most targeted platform, we are now seeing Magecart attacks on platforms like Volusion. Website owners are highly dependent on e-commerce platforms like Magento and Volusion, but this can make their websites vulnerable to client-side attacks. While the British Airways and Delta Airlines data breaches get a lot of attention, it is clear that Magecart groups target businesses of all sizes and all industries. Such attacks will continue unabated until a majority of website owners focus on monitoring third-party code execution on their sites.”
Magecart attacks almost always begin with familiar cyberattack vectors: the phishing of either a company employee or an employee at a vendor that has sufficient access. The attackers then move laterally through the network and escalate as much as is necessary to get access to the scripts that handle credit card transactions, whereupon they are able to slide the malicious skimming code in. Business proceeds as normal, but credit card payment information (and sometimes even shipping information and additional contact details) are being siphoned off to the attackers.
Businesses have to worry not just about their own internal security, but also the security of third-party commerce websites. In business since 1999, Volusion has typically been considered one of the safest and most stable ecommerce options for small and medium-size businesses. This attack makes clear that any established company can be compromised. By compromising Volusion’s internal network, the attackers obtained the “keys to the kingdom” that allowed them to steal credit card details from all of Volusion’s customers.
While hacking groups such as Magecart Group 6 are considered to be among the most sophisticated operators in this space, Magecart attacks are becoming increasingly accessible to criminals of all types. Some of these groups are selling Magecart skimmer kits that provide unsophisticated operators with all of the automated tools they need to compromise a commerce platform, plant code and redirect payment information to a foreign server. The users of these kits are not as dangerous as the persistent Magecart threat groups, but enough of them hammering away for long enough will eventually lead to some of them striking gold.