Sesame Street store hacked with Java cookie

Credit card info is being trafficked to another site via a rogue Google Cloud storage domain name, according to a researcher

The Cookie Monster

Sesame Street's online store has been targeted by a credit card stealing hack, according to a security researcher.

Customers card details were collected by a piece of malicious code, dubbed "JavaScript Cookie", which was embedded into shopping cart software built by Volusion.

Some 20,000 small business customers use Volusion, an e-commerce software firm, but its service has been allegedly hacked via a Google Cloud storage domain name.

Marcel Afrahim, a researcher at security firm Check Point, spotted the problem while shopping for Sesame Street merchandise. What's more, he believes this isn't the only site to have the same malicious code embedded.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The compromise is not only unique to Sesame Street Store and most likely any e-commerce website hosted on Volusion is probably running malicious code and posting the credit card info of the consumers to the outsider domain," he wrote.

IT Pro has contacted Volusion for comment but has yet to receive a reply. The Sesame Street live store was down at the time of writing, with customers receiving this message: "Thank you for visiting our site! Unfortunately, our store is currently closed. We will be back online to serve you soon. Thank you for your patients."

Sesame Street's online store is built with Volusion's all-in-one e-commerce website builder. According to Afrahim, the checkout is on a single page where all the info is entered and validated before taking the user to the confirmation page.

Afrahim noticed that while all the resources were loading from the Sesame Street and Volusion websites, an odd JavaScript file began loading from a Google Cloud storage domain name. The file name was "volusionapi" and according to Afrahim, anyone can sign up and chose a unique bucket name and serve content with Google Cloud.

"Google Cloud Storage (and other Cloud storage providers) has been abused before where threat actors or malware authors distribute malicious code or actual malware through these legitimate services," he wrote.

The malicious code, in this case, looks like a simple lightweight JavaScript API for dealing with cookies copied from GitHub, but is actually a complex script for sending credit card info to another site.

Advertisement - Article continues below

"At its core, the additional code consists of two sections," Afrahim explained. "The first section is reading the values entered at the Credit Card information fields and after a series of checks, it's Base64 encoded along with serialisation and simple shift operation, so that a simple Base64 deobfuscation would not reveal the data.

"The data is then stored using the browser's sessionStorage with the name '__utmz_opt_in_out'. sessionStorage is similar to localStorage; the difference is that while data in localStorage doesn't expire, data in sessionStorage is cleared when the page session ends."

To the untrained eye, it doesn't look suspicious, according to Afrahim. He even suggests that most analysts would see it as legitimate analytics and web trafficking. He believes that the actors behind the scam went through some lengthy steps to make the traffic look normal.

Worryingly, Afrahim said that he searched for the code on publicWWW and found 6593 web pages that are probably hosted by Volusion and are "probably compromised".

"While the results might not mean that all the 6,600 websites are compromised, it's safe to assume to all the vnav.js files are pointing to singular location and once that is compromised, the entire customer base of Volusion is compromised," he wrote.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020