Card data stole from the Volusion security breach surfaces on the dark web

Security experts have discovered that card data stolen last year from Volusion-hosted online stores is now available for sale on the dark web.

Experts from the threat intel firm Gemini Advisory have discovered that card data stolen last year from Volusion-hosted online stores have surfaced on the dark web.

Volusion is a privately-held technology company that provides e-commerce software and marketing and web design services for small and medium-sized businesses. The company has over 250 employees and has served more than 180,000 customers since its founding in 1999.

In October 2019, hackers have compromised the infrastructure of Volusion and distributed malicious software skimmers to steal payment card data provided by users. At the time of the attack, experts reported that more than 6,500 stores have been hacked, but they speculated that tens of thousands of e-commerce platforms may have been compromised.

“Analysts discovered 239,000 compromised Card Not Present (CNP) records offered for sale in the dark web from November 2019 to the present. They affected hundreds of different merchants with websites linking to the 6,589 online stores compromised by the Volusion breach.” reads the report published by Gemini Advisory.”Fraudsters have currently generated $1.6 million USD in revenue from these stolen payment cards, with the breach potentially exposing up to 20 million records. “

The discovery was made by Check Point security researcher Marcel Afrahim that shared his findings in a blog post on Medium.

While analyzing the checkout page the expert noticed that all the resources were loading from sesamestreetlivestore.com or volusion.com affiliated websites, except for an odd javascript file being loaded from storage.googleapis.com having bucket name of volusionapi. 

This suggests that hackers gained access to Google Cloud infrastructure of Volusion, they were able to inject in JavaScript file the malicious code that siphons payment card details.

The compromised script was located at https://storage.googleapis.com/volusionapi/resources.js and is loaded on Volusion-based online stores via the /a/j/vnav.js file.

Now, a new report reveals that hackers collected $1.6 million from selling more than 239,000 payment card records on the dark web that were stolen from 6,589 compromised stores.

Gemini Advisory reported that attackers started selling the card data stored from the Volusion infrastructure since November.

According to experts from Trend Micro, the attack was carried out by the cybercrime group tracked as FIN6, it likely started on September 7, 2019.

According to the researchers, the security breach may have exposed up to 20 million records, with a potential maximum value of $133 million USD.

“Given this figure, the maximum profit potential would be as high as $133.89 million USD. The overwhelming and continually rising dark web demand for CNP records indicates a staggering profit potential for the perpetrators of this security incident.” continues the report.

The analysis of the impacted domains reveals that 5,893 were registered in the U.S., followed by 183 registered in Canada.

According to Gemini Advisory, 98,97% of the 239,000 records already sold on the dark web were related to cards issued in the US.

“As more records make their way to the dark web and more merchants are confirmed to have been compromised via Volusion, the full extent of what is likely to be one of the largest and most wide-ranging supply-chain breaches to date will become clear.” concludes the report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Volusion)

[adrotate banner=”5″]

[adrotate banner=”13″]