Volusion storefront script skimmed payments
A Volusion storefront JavaScript path loaded a Magecart skimmer from Google Cloud Storage. Confirmed scope landed in the low thousands of shops, with later fraud reporting tying hundreds of thousands of card records to the breach.
Story
The Volusion breach surfaced from a checkout page, not from a malware alert. In October 2019, researcher Marcel Afrahim noticed that the Sesame Street Live Store, a Volusion-hosted merchant, was loading an odd JavaScript file from storage.googleapis.com/volusionapi/resources.js.
That file was reached through Volusion's normal storefront JavaScript path, including /a/j/vnav.js, so it looked like part of the platform rather than a third-party add-on chosen by one merchant. The payload masqueraded as ordinary cookie-handling code while it watched the checkout flow.
Trend Micro later described the injected code as a Magecart skimmer active on 3,126 Volusion-hosted shops, with data showing activity from September 7, 2019. Other reporting and Gemini Advisory connected 6,589 to 6,593 domains to the compromised Volusion path. Some early reports speculated about up to 20,000 stores because Volusion's customer base was larger, but the confirmed infected-domain counts were lower.
The skimmer copied payment-form data, encoded and permuted it, stored it in browser sessionStorage under __utmz_opt_in_out, and then posted it to volusion-cdn.com/analytics/beacon. The attacker domain mimicked Volusion's own CDN naming closely enough to blend into a noisy checkout page.
Trend Micro assessed the activity as likely Magecart Group 6, also known as FIN6, based on the victim selection, exfiltration-domain style, and similarities to earlier British Airways and Newegg skimmers. Volusion said it resolved the issue within hours of notification and that a limited portion of customer information from a subset of merchants was compromised.
The later fraud story is related but should not be confused with the store count. Gemini Advisory found 239,000 compromised card-not-present records offered for sale after the incident and estimated that potential exposure could reach nearly 20 million records if the average small-merchant breach scale held across the confirmed Volusion merchant set.
Affected Artifacts
- Observed
- 2019-09-07 to 2019-10-10
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:2348433df49e73217969a45726c53441f092c4a6fce57d1d58a6cf79d3976058
- sha256:cee25c699a14a04c6e1b6e6fcd5ce7d4414c9f324b62509a7af14ae5bf749af8
- sha256:d03f18a71ce059a79840a38aad4944426f0524bbd68a7a8fb7003c82996e6533
- Evidence
- distribution: storage.googleapis.com/volusionapi/resources.js, mirror: trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html, url: hxxps://storage[.]googleapis[.]com/volusionapi/resources.js, url: hxxps://volusion-cdn[.]com/analytics/beacon , +6 more
- Trend Micro reported 3,126 actively affected shops; Gemini Advisory later confirmed 6,589 domains connected to the compromised domain, close to the 6,593 pages found by Marcel Afrahim and cited by ZDNet/TechHQ.
- Gemini Advisory found 239,000 card-not-present records offered for sale and modeled potential exposure at nearly 20 million records; that estimate is not the confirmed infected-store count.
Incident Context
- Motive
- Financial Gain
- Attribution
- Group
- Cause
- Cloud Storage Compromise
- Transitive
- Yes
- Actor
- Cybercriminal Gang
- User Impact
- 6589
External References
- Magecart Card Skimmers Injected Into Online Shopstrendmicro.com
- Breached Volusion Card Data Surfaces in Dark Webgeminiadvisory.io
- Sesame Street & Volusion customers are compromised; how the cookie monster is stealing CC numbersmedium.com
- 6,500 online stores breached in Volusion supply-chain attacktechhq.com
- Magecart Attack on Volusion Highlights Supply Chain Dangersdarkreading.com
- How A Magecart Attack Works And How Volusion Was Hackedoptimum7.com
Source record: proprietary/volusion/meta.yaml