Volusion data breach impacts 6,500 sites including the Sesame Street store

Hackers have breached the infrastructure of Volusion, a leading e-commerce solution for small businesses, allowing them to collect customer card details from between 6,500-20,000 sites. The attack occurred via the implementation of a modified JavaScript file that included malicious code that logs card details entered in online forms code.

Here’s what cybersecurity experts had to say.

Saryu Nayyar, CEO of Gurucul:

“This incident is a reminder that data no longer resides solely in a single, on-premise data center where IT security is directly controlled. To save money, third-parties and the cloud are now frequently used to outsource IT services.

Companies often don´t check how service providers secure the data that is entrusted to them. That needs to change. Organisations that work with sensitive data must pressure their service providers to adopt the same level of data security measures that they apply internally. After all, customers trust these organisations with their most sensitive information and expect those companies to protect it.

As cyberattacks become more professional and more automated, CISOs should focus on countering these attacks with security automation. This especially needs to happen on the evolving grounds of cloud and hybrid IT. The cloud changes the rules for cybersecurity, upending conventions about staffing, locations, and authentication. But today’s behaviour-based security analytics solutions can apply big data machine learning models across the cloud and data center as if they were one environment, providing full visibility into anomalies associated with cyberattacks and insider abuse.”

Javvad Malik, security awareness advocate at KnowBe4:

“Compromising the supply chain is a common tactic used by many attackers. We’ve seen many attacks over the years that look to inject malicious code into trusted settings, such as into mobile phone App stores, WordPress plugins, or other widgets. This attack against Volusion follows the same methodology where by compromising the infrastructure, all underlying sites and users become vulnerable.

It’s unclear how the Google services of Volusion were compromised, but it reinforces the fact that no type of company is immune from attacks and therefore need to ensure security is embedded throughout the culture of every company.”

Tim Erlin, VP at Tripwire:

“Thousands of organizations have offloaded the work and the risk for processing eCommerce transactions to third parties like Volusion. The concentration of credit card data in one place makes for an attractive target.

Data shows that since the introduction of EMV or chip cards, fraud has actively moved from card-present to card-not-present, or from the point of sale systems to online eCommerce. We’ve made it harder, though not impossible, to create counterfeit cards, and criminals have shifted their attention to easier avenues of attack.”

Felix Rosbach, product manager at comforte AG:

“The times of “we are just a small store – hackers won’t target us” are over. Payment card details are extremely valuable data sets as fraud is easy to commit with stolen card information. When hackers are able to breach cloud-based platforms – like Volusion in this case – they gain access to a huge amount of data sets by targeting hundreds of stores with a single attack.”

Sam Curry, Chief Security Officer at Cybereason:

“The Volusion card skimming breach is yet another wake up call to the industry and all cloud service providers to keep increasing cost to break, invest in making breach extent as contained as possible and for God’s sake keep Ernie, Bert and Snuffy safe! 

The best measure of practical security is cost to break, and the equation is simple: value of target divided by cost to break. If moving to the cloud made you more secure (i.e. made you more expensive to break) then being in a cluster with other valuable targets will make the other part of the equation go up too. In the calculation of the attacker, it’s a question of when, not if, an attack is coming after the ratio crosses a certain point.

Martin Jartelius, CSO at Outpost24:

“If you self-host an online store, you need to review the security of your applications and keep them updated. If relying on third-parties, there is a degree of risk acceptance, you entrust that third-party to keep you safe. This, of course, is a rather substantial business risk, but based on rather massive cross-site inclusion of content is extremely common practice. Just as this happens here, an attack hitting servers hosting any other JavaScript content your site includes posts this risk. Most sites have rather heavy dependencies, and often the site owners are unaware.

In order to ensure a secure online presence this general advice applies: do not provide your credit card where any options exist. For some regions, the credit card companies offer the possibility of locking down online purchases, which allows you a more granular control – unlock, shop, lock again. This decreases the window of opportunity for attackers, albeit at the cost of convenience.

The risk of using a cloud-based solution is in no way different from using other hosted solutions that include active content on your website. If you trust a third-party in the domain that you include content from then you trust them no matter where they happen to operate. Cloud is not inherently unsafe, but of course it does allow vendors to use a weak password and risk the infrastructure. However, there is less of a risk that your vendor would be able to have outdated underlying infrastructure that is managed by the cloud provider who has that as their sole business.

Any business that is operating a website which processes credit cards is vulnerable to a Magecart attack. Essentially, any time content can be injected into your website, or to any modules you include, you are in theory vulnerable. You can decrease this risk by using only trusted vendors – if you want to you can set subresource integrity in your site to better be able to trust third-parties. However, it is important to note that if the third-party provider dynamically generated scripts, or if updates are made to the version you include, this will not work as intended.

http://qnimate.com/how-to-make-browsers-verify-fetched-resources-content/

There are many misconceptions about cloud-hosted online stores that should be addressed. They are no more or less a risk from a security perspective than any other store systems. Almost all those risks we see here come from outdated stores using a standard solution, custom web app vulnerabilities, or breaches hitting a central provider hosting scripts to multiple recipients. The challenges of the cloud are more related to processing and transfer of personal data, so legislative, than they relate to technical security.”

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:

“While a website might appear to wholly belong to one brand to the consumer, in reality most websites include multiple plugins from different suppliers. This breach demonstrates the potential damage that can be done if just one trusted third party provider is compromised. In this case, Volusion has 20,000 customers, so 20,000 websites could potentially be compromised.

E-commerce sites are at particular risk to this type of attack, because of the highly valuable card data that third parties have access to, which makes them a target for hackers. However, it has to be remembered that more websites than you think now contain an e-commerce function. For example, this same Magecart attack technique was used to compromise British Airways last year.

While it is the third party that is at fault, it will be the company that owns the website that will ultimately be held responsible for any misuse of customer data. While pulling out plugins from a website isn’t a realistic solution, all organisations should regularly run security assessments on their web applications to uncover vulnerabilities such as these and mitigate them quickly.

From the point of view of consumers who could be affected, they should closely monitor their bank statements for any unusual activity and alert their bank immediately if they notice any.”

Richard Walter, CTO of Censornet:

“This is another case of a Magecart attack against a third party provider used by thousands of sites, rather than a specific store. In this case, hackers gained access to Volusion’s Google Cloud architecture and modified a Javascript file to include malicious code. In doing so, attackers may have gained access to all of the highly sensitive card data that Volusion has access to. 

It’s not a new type of attack, we saw the same techniques used against British Airways and Ticketmaster last year. However, the big issue here is that hackers have gone after a third party used by thousands of websites. Already it is confirmed that 6,500 of the sites Volusion is used on have been compromised by attackers.

“The use of cloud services is now ubiquitous and providers urgently need to gain security control over their services, as it is the companies using Volusion that will ultimately be held responsible. This hack goes to show that a failure to do so will cost organisations, and their customers, dearly.”