The Sesame Street Live Store, where fans of the children’s show buy merchandise, is one of more than 6,500 websites that security researchers say may be compromised by payment skimmers after an apparent incident at an e-commerce platform.
A breach at Volusion, which provides cloud infrastructure for online stores, made it possible for thieves to insert malicious code on to many of the sites partnered with the platform, Marcel Afrahim, a malware researcher who works at Check Point, wrote in an independent blog post Tuesday. Malicious JavaScript code “which on the surface looks like some code that some developer just grabbed from any open source libraries” is extracting credit card information from affected pages, Afrahim wrote.
Volusion told CyberScoop on Wednesday that the issue, which affected what it described as “V1” merchants only, has been resolved. Customer crdit card information was also compromised, though the number of people affected remains unclear.
“We have taken appropriate measures in order to secure our customer accounts,” a spokesperson said in an emailed statement. “We are continuing to monitor this matter to assure the security of our customers.”
It’s not clear how many sites were affected, though Afrahim suggested 6,593 pages are “probably compromised” based on a search for the malicious code. The Sesame Street Live Store, the only site identified by name in Afrahim’s blog post, was offline undergoing regularly scheduled maintenance at press time.
“While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal,” Afrahim wrote. “What was not mentioned was how did the script get into the page in the first place.”
The attack bears all the hallmarks of another Magecart-style fraud where scammers combine subtle lines of code with seemingly trivial website vulnerabilities to make off with customers’ payment information. Thieves hit more than 2 million websites with various forms of this technique, RiskIQ reported last week. As the scam has evolved, though, it’s also demonstrated with urgency how a breach at one site gives attackers an entry point into others.
Update, Oct. 10: A Volusion spokesperson confirmed to CyberScoop after this article’s publication that customer credit card information was included in this incident.