A Magecart attack on cloud infrastructure provider Volusion has endangered the debit and credit card details of thousands of online shoppers.
The attack, which has been confirmed by multiple cyber security firms, targeted at least 6,500 online stores including one for Sesame Street, which sells merchandise from a popular kids show. However, as many as 20,000 online stores worldwide could be affected.
After compromising #Volusion, #Magecart threat actor inserted @GoogleCloud hosted script to standard JS library used across their platform and credit card info to remote host Volusion-cdn[.]com pic.twitter.com/nhkT5sHvyB
— Ma?s?l (@marcelmalware) October 8, 2019
The details of online stores that confirmed to have been affected due to the security breach can be viewed here.
Security researchers described the breach as Magecart attack – also known as ‘web skimming’ – which are a specific type of cyber attack in which attackers attempt to steal credit card details of shoppers from e-commerce websites, rather than ATMs.
The number of Magecart attacks has intensified over the past two years. In recent months, more than 17,000 online stores have been found to contain card-stealing malicious scripts, according to security researchers at RiskIQ.
Magecart threat actors usually exploit security flaws in self-hosted stores to implant skimming scripts to steal card details of buyers. However, sometimes, hackers also succeed in infiltrating cloud-based platforms (like Volusion) or firm providing ads, analytics, or other services to online stores.
Magecart breaches can be difficult to detect as many companies remain unaware that their servers have been compromised by attackers.
A Magecart attack on British Airways last year compromised credit card details of around 500,000 customers. It is now facing a £183 million fine under GDPR and a class-action lawsuit from affected customers.
Last month, security researchers warned that threat actors have been bringing old Magecart web domains back to life in renewed malvertising and ad fraud campaigns
Cyber security firm Malwarebytes had earlier warned e-commerce companies about a summer surge in activity by web-skimming Magecart gangs, targeting organisations’ online payments systems. The firm claimed that it had blocked nearly 65,000 web-skimming Magecart data theft attempts in July alone.