{ "id": "97e6d418-f585-4ac9-9ea2-d0846b8d178d", "created_at": "2026-04-06T00:18:54.487164Z", "updated_at": "2026-04-10T13:12:45.423989Z", "deleted_at": null, "sha1_hash": "e4e99526c558b60b7b3a9600ce869fb4a29e54dc", "title": "Hackers breach Volusion and start collecting card details from thousands of sites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 237969, "plain_text": "Hackers breach Volusion and start collecting card details from\r\nthousands of sites\r\nBy Written by Catalin Cimpanu, ContributorContributor Oct. 8, 2019 at 12:38 p.m. PT\r\nArchived: 2026-04-05 14:24:44 UTC\r\nHackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering\r\nmalicious code that records and steals payment card details entered by users in online forms.\r\nSee als\r\nMore than 6,500 stores are impacted, but the number could be even higher. In a press release published last month,\r\nVolusion claimed it had more than 20,000 customers.\r\nThe most notable compromise is the Sesame Street Live online store, which has been taken down earlier today\r\nafter another journalist reached out.\r\nAt the time of writing, the malicious code is still on Volusion's servers and is still being delivered to all of the\r\ncompany's client stores.\r\nVolusion has not returned emails or phone calls from this reporter, nor from security researchers from Check Point\r\nand Trend Micro. Cyber-security firm RiskIQ is also tracking the incident and confirmed the hack to ZDNet.\r\n@Volusion Hi! We sent you a Direct Message. Looking forward to your reply.\r\n— Trend Micro Research (@TrendMicroRSRCH) October 7, 2019\r\nCompromised Google Cloud infrastructure\r\nThe incident took place this week after hackers gained access to Volusion's Google Cloud infrastructure, where\r\nthey modified a JavaScript file and included malicious code that logs card details entered in online forms.\r\nhttps://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/\r\nPage 1 of 2\n\nVolusion is a known Google Cloud Platform customers.\r\nVolusion code\r\nThe compromised file is hosted at https://storage.googleapis.com/volusionapi/resources.js [copy], and is loaded\r\non Volusion-based online stores via the /a/j/vnav.js file.\r\nFor users interested in the inner workings of this code, Check Point security researcher Marcel Afrahim published\r\nan analysis on Medium earlier today.\r\nClassic Magecart supply-chain attack\r\nThe incident is what cyber-security experts call a Magecart attack or web card skimming, where crooks steal\r\npayment card details from online shops, rather than ATMs. These types of hacks have been happening for years,\r\nbut they've intensified over the past two.\r\nIn a report published last week, RiskIQ said Magecart attacks have reached a peak, with card-stealing scripts\r\n(called skimmers) being spotted on more than 18,000 websites over the past few months.\r\nMost Magecart attacks take place when hackers use vulnerabilities in self-hosted stores to plant skimmer code on\r\noutdated online shops.\r\nBut, sometimes, hackers also manage to breach cloud-based platforms -- like Volusion -- or companies that\r\nprovide widgets, analytics, ads, or other secondary services to online stores.\r\nSomething like the latter case happened in May when hackers breached the cloud infrastructure for seven\r\ncompanies that provided services to online stores -- namely Alpaca Forms, Picreel, AppLixir, RYVIU, OmniKick,\r\neGain, and AdMaxim.\r\nThe May incidents were traced to those companies' misconfigured cloud-hosting accounts, which allowed hackers\r\nto modify existing files without permission.\r\nSimilar attacks followed over the summer, and in most, hackers targeted misconfigured Amazon Web Services\r\naccounts. The Volusion incident that's currently underway is the first one traced back to Google Cloud.\r\nEuropol’s top hacking ring takedowns\r\nSecurity\r\nSource: https://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/\r\nhttps://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/" ], "report_names": [ "hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4e99526c558b60b7b3a9600ce869fb4a29e54dc.pdf", "text": "https://archive.orkl.eu/e4e99526c558b60b7b3a9600ce869fb4a29e54dc.txt", "img": "https://archive.orkl.eu/e4e99526c558b60b7b3a9600ce869fb4a29e54dc.jpg" } }