Sesame Street site in maintenance mode

Hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms.

More than 6,500 stores[1] are impacted, but the number could be even higher. In a press release published last month, Volusion claimed it had more than 20,000 customers.

The most notable compromise is the Sesame Street Live online store, which has been taken down earlier today after another journalist reached out.

At the time of writing, the malicious code is still on Volusion's servers and is still being delivered to all of the company's client stores.

Volusion has not returned emails or phone calls from this reporter, nor from security researchers from Check Point and Trend Micro. Cyber-security firm RiskIQ is also tracking the incident and confirmed the hack to ZDNet.

Compromised Google Cloud infrastructure

The incident took place this week after hackers gained access to Volusion's Google Cloud infrastructure, where they modified a JavaScript file and included malicious code that logs card details entered in online forms. Volusion is a known Google Cloud Platform customers[2].

Volusion code

The compromised file is hosted at https://storage.googleapis.com/volusionapi/resources.js [copy[3]], and is loaded on Volusion-based online stores via the /a/j/vnav.js file.

For users interested in the inner workings of this code, Check Point security researcher Marcel Afrahim published an analysis on Medium[4] earlier today.

Classic Magecart supply-chain attack

The incident is what cyber-security experts call a Magecart attack[5] or web card skimming, where crooks steal payment card details from online shops, rather than ATMs. These types of hacks have been happening for years, but they've intensified over the past two.

In a report published last

Read more from our friends at ZDNet