Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

For Sale: Card Data From Online Stores Using Volusion

Gemini Advisory Finds Data on Dark Web From Compromised Store Checkout Platform
For Sale: Card Data From Online Stores Using Volusion

Payment card data stolen last year when hackers compromised online stores that were using the Volusion checkout platform is now surfacing on dark web sites and forums, according to Gemini Advisory, a New York-based consultancy that specializes in anti-fraud services.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Gemini researchers have identified approximately 240,000 records related to the security breach involving these sites, with fraudsters apparently generating about $1.6 million from the sale of stolen data so far, according to the report.

Analysts confirmed that over 6,500 online stores had their checkout functions compromised during this incident, which was first reported in October 2019 (see: Volusion Payment Platform Sites Hit by Attackers). Earlier, some security analysts estimated that more than 20,000 online stores were compromised. Nevertheless, some 20 million records could have been compromised when attackers injected malicious JavaScript into these sites over the course of several months, according to the report.

"Compared to other breaches, the 239,000 records currently available in the dark web is fairly large," Christopher J.S. Thomas, an intelligence product analyst with Gemini, tells Information Security Media Group. "However, given the volume of compromised merchants, there are almost certainly many more records to be added, making this undoubtedly a major breach."

Magecart Suspected

The Gemini report confirms earlier research from security firm Trend Micro and others that the hacking of these sites using the Volusion checkout platform are likely the work of Magecart, an umbrella organization comprising a dozen groups that have been attacking e-commerce sites of companies that have included British Airways, Ticketmaster and Newegg over the last two years.

In the Volusion-related attack, the hackers injected malicious JavaScript, also referred to as JavaScript skimmers, JavaScript sniffers or JS sniffers, into the code into a cloud storage service called, according to reports (see: Surge in JavaScript Sniffing Attacks Continues).

(Source: Gemini Advisory)

From there, the Magecart group skimmed personally identifiable information from online checkout sites, including customer payment card data and names as well as phone numbers and other data, according to the Gemini report.

"Malicious code was reportedly injected into a Volusion JavaScript library that closely resembled legitimate code but included a payment card skimmer to pass along card details to an exfiltration server," according to the report. "The exfiltration server's name was 'volusion-cdn[.]com,' which resembled the legitimate server’s name to camouflage the illicit activity."

While the attack was first uncovered in October, Gemini and Trend Micro found that the hackers may have started compromising data as early as September, with the first bits of credit and payment card information appearing for sale on dark net forums in November.

About 98 percent of the payment card data offered for sale came from U.S. customers, with the hackers hitting a variety of merchants, including Marine Sanitation & Supply, Sunshine Golf and Monster Jam Store, according to the Gemini analysis. In one of the the original reports of the attack, Check Point Software Technologies found the malicious JavaScript on the Sesame Street Live online store as well.

Recent Uptick

With increases in data breaches, Gemini and other security analysts have watched a steady stream of stolen payment card and other data appear on several dark net forums.

In January, for example, Gemini found a listing on the forum Joker's Stash for stolen payment card details from the WaWa breach that in December 2019 that compromised as many as 30 million payment cards in 40 states (see: Wawa's Stolen Payment Cards Are Now for Sale).

In October 2019, Joker's Stash listed 1.3 million credit and debit cards of mostly Indian banking customers, according cybersecurity firm Group-IB found (see: Joker's Stash Lists 1.3 Million Stolen Indian Payment Cards).

Thomas says that security standards such as EMV 3D Secure, a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present e-commerce purchases, should help stop cybercriminals from using this type of stolen data. But, unfortunately, many online merchants are not yet using EMV.

"In theory, EMV adoption prevents fraudsters from successfully cashing out skimmed cards, but in practice, many merchants often do not comply with EMV adoption standards," Thomas says. "This creates an opening that cybercriminals can and do exploit."

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.