Volusion Data Breach to Affect Thousands of Customers

Cloud-hosting online store provider Volusion suffered from a data breach, affecting more than 30,000 merchants. Following unauthorized access into its server, hackers reportedly obtained financial and credit card information of users.

Bleeping Computer says the breach has its roots dating back to September 7, 2019.

According to ZD Net, hackers gained access to the Google Cloud storage systems this week. After gaining access to the cloud-based infrastructure, hackers planted a bug which provides a malicious code to the system. The malicious code disguises itself via the online forms found on the website, thereby successfully stealing customer card details.

Volusion Suffered from a Data Breach

ADVERTISEMENT

Hackers injected the malicious code onto a JavaScript file, with the JavaScript uploaded to online stores covered by the company.

A number of cybersecurity researchers and teams have reached out to the company, including Check Point and Trend Micro Research. Apart from these two, cybersecurity firm, RiskIQ is also monitoring the incident and its possible escalation.

Marcel Afrahim, a security researcher at Check Point, noticed the vulnerability while shopping on the Sesame Street Live online store. Bleeping Computer states that the JavaScript changed during the checkout. The JavaScript is filed under ‘resources.js’ which reportedly came from ‘volusionapi.’

Upon closer look, Afrahim found that hackers carefully designed the unauthorized access to seamlessly appear as part of the analytics.

Although these companies informed Volusion about the incident, the cloud-hosting firm declined to make a statement. In the same way, the company failed to call and reach out via phone call or email for further clarification.

ADVERTISEMENT

Industry experts say the attack on Volusion is called a Magecart attack. The Magecart attack is known for its card skimming approach through the Internet rather than traditional ATMs. Through this supply-chain attack, hackers gain access to credit card information.

The same Magecart attack was used by hackers in 2018 against British Airways, reports Daily Mail Online. These hackers often target online companies and e-commerce websites as these entities lack access to the direct code source. Under this vulnerability, the presence of hacking entities can remain virtually undetected for weeks, months, or years at a time.

In a statement by RiskIQ, it shared that “skimming code can [victimize] any visitor that makes purchases on that website.”

Following the attack on Volusion, partner merchants immediately secured their pages from potential attacks. The Sesame Street Live online store closed down earlier today after being compromised by the leak.

ADVERTISEMENT