Magecart attack on e-commerce service impacts Sesame Street store and many more

Original Post from SC Magazine
Author: Bradley Barth

Magecart hackers found out how to get to Sesame Street’s online store – and in all likelihood thousands more merchants – by initially compromising e-commerce and shopping cart service provider Volusion to deliver the credit card-skimming code.

Israel-based security researcher Marcel Afrahim, who for his day job works as a research developer at Check Point Software Technologies, recently discovered the skimming scam after shopping for toys on, the official e-commerce website for the Sesame Street Live! touring show. The store, which has been temporarily taken down, runs on an e-commerce platform from Austin-based software company Volusion. (Related site is apparently unaffected and still up and running.)

Afrahim noticed that during checkout process, a suspicious JavaScript file was loaded from a Google Cloud Storage domain name. The file, resources.jr, pretends to be a JavaScript API for handling cookies. But in reality, it’s skimmer code that’s designed to post credit card information entered by the user to a domain registered as Volusion-Cdn[.]com. But this domain has nothing to do with the legitimate Volusion; it is an attacker-controlled URL.

“The URL looks like analytics or domain tracking URL and even an analyst might just ignore it as it is,” writes Afrahim in a Medium blog post. “To an untrained eye, this does not look suspicious. Even most analysts would agree that this how legitimate analytics and web tracking traffic look like these days.”

Afrahim discovered that the card-skimmer script that was injected into the Sesame Street e-commerce page was initially stored at “”

“The directory path to the vnav.js looks to be an integral part of the e-commerce store and something that is not used for one particular customer if you are running a platform to host an e-commerce website,” explains Afrahim in the blog post. Therefore, Afrahim has concluded that Volusion was compromised to inject the Magecart script into all of its business clients.

Afrahim found nearly 6,600 web pages that appear to be hosted by Volusion, although the e-commerce provider’s website states over 30,000 merchants are using its services, so the number of infected sites could be much higher.

A long list of Volusion-powered sites that according to Afrahim are likely also injected with Magecart is available here. One such example (yes, the artist Bob Ross), whose painting supplies website is also temporarily down as of the publishing of this article.

SC Media has reached out to Volusion and Sesame Street Live!’s production company, Ellenton, Florida-based Feld Entertainment for comment.

The post Magecart attack on e-commerce service impacts Sesame Street store and many more appeared first on SC Media.

Go to Source
Author: Bradley Barth

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Appliance - Powered by TurnKey Linux