Attackers compromised the infrastructure of the Volusion e-commerce cloud platform and introduced malicious code that steals bank card information entered by users into online forms. Currently, the malicious code has not yet been removed from the Volusion servers, and it still compromises the company's client stores.
It’s already known that this attack 6500 storesbut in the end, their number may turn out to be even higher, as last month Volusion announced that it already serves more than 20,000 customers. One of the largest victims of the incident was the Sesame Street Live store, which has currently suspended operations.
Volusion representatives do not respond to emails and phone calls from either journalists or researchers from Check Point, Trend Micro, and RiskIQ, who also noticed the hack.
The compromised file is located at https: //storage.googleapis (.) Com / volusionapi / resources.js and is uploaded to Volusion online stores through /a/j/vnav.js. A copy of the infected file can be found. here. Analysis of this infection is already was published publicly available by Check Point analysts.
What happened to Volusion is a classic Magecart attack, during which attackers use web scrimmers and steal payment card data through online stores, rather than through ATMs. Let me remind you that many Magecart groups practice attacks not on the stores themselves, but on various service providers and platforms. For example, in the summer of this year, it was for this reason that Picreel, Alpaca Forms, AppLixir, RYVIU, OmniKick, eGain and AdMaxim, which provide services to online stores, were compromised.