Magecart attackers have infiltrated cloud-based e-commerce provider Volusion to successfully infect at least 6,500 customer websites with malicious code designed to lift payment card information. To do this, they had to first break into Volusion's Google Cloud environment.
Volusion is the latest target of Magecart, a threat that was first spotted a decade ago but has been ramping up over the past couple of years as attackers explore new vectors for compromise and it becomes easier to rent a skimmer kit, track malicious activity, and automate attacks at scale. Skimmers have been detected on more than two million sites, RiskIQ reports.
"During our investigations of Magecart, we have found that the attackers seem more experienced and thoughtful than many other skimmer groups," Trend Micro researchers say in an interview with Dark Reading. "There are multiple Magecart actor groups who continually shift their tactics to improve their infection rates and revenue opportunities."
Volusion has issued a statement confirming it was alerted to a security incident and resolved the problem "within a few hours of notification." It has taken steps to help secure accounts and is working with authorities on the matter.
"A limited portion of customer information was compromised from a subset of our merchants," a spokesperson says. "This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter."
As Afrahim explains, storage.googleapis.com is a Google Cloud Storage domain name for a file storage web service. Anyone can register, pick a bucket name, and serve their own content.
The second part of the script reads the stored data and posts it to the attackers' primary server: hxxps://volusion-cdn.com/analytics/beacon. As Afrahim points out, even an analyst may look past a domain name like this, designed to blend in with Volusion. A GET request to Volusion-Cdn[.]com redirects to a legitimate Volusion CDN. However, he discovered the domain was only registered on September 7 and has nothing in common with Volusion infrastructure or name servers.
The Volusion incident can most likely be attributed to Magecart Group 6, also known for last year's attack on British Airways, says Jerome Segura, head of threat intelligence at Malwarebytes. "They target sites that generate a lot of transactions, which helps them maximize their attack in a short time frame," he explains.
Group 6 was recently identified as the FIN6 APT. Part of their tactics, techniques, and procedures involves creating exfiltration domains that mimic their victim, which aligns with their efforts to blend in and evade detection.
Service Providers Are Hot Targets
A September Magecart attack targeted the booking websites of chain-brand hotels, marking the second time Trend Micro saw attackers hitting e-commerce service providers instead of individual shops. In May, another skimming campaign hit the online stores of college campuses.
Adversaries are after the most accessible entry point. Many have targeted misconfigured AWS accounts because they're the most obvious opening that will likely be unnoticed, but ultimately they'll go after the vector that will give them the highest payout with the fewest resources.
- Utilities' Operational Networks Continue to Be Vulnerable
- 7 Considerations Before Adopting Security Standards
- Beyond the Horde: The Uptick in Targeted Attacks (And How to Fight Back)
- 6 Active Directory Security Tips for Your Poor, Neglected AD
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"