Magecart hackers found out how to get to Sesame Street’s online store – and in all likelihood thousands more merchants – by initially compromising e-commerce and shopping cart service provider Volusion to deliver the credit card-skimming code.
Israel-based security researcher Marcel Afrahim, who for his day job works as a research developer at Check Point Software Technologies, recently discovered the skimming scam after shopping for toys on sesamestreetlivestore.com, the official e-commerce website for the Sesame Street Live! touring show. The store, which has been temporarily taken down, runs on an e-commerce platform from Austin-based software company Volusion. (Related site www.sesamestreetlive.com is apparently unaffected and still up and running.)
"The URL looks like analytics or domain tracking URL and even an analyst might just ignore it as it is," writes Afrahim in a Medium blog post. "To an untrained eye, this does not look suspicious. Even most analysts would agree that this how legitimate analytics and web tracking traffic look like these days."
Afrahim discovered that the card-skimmer script that was injected into the Sesame Street e-commerce page was initially stored at "https://www.sesamestreetlivestore.com/a/j/vnav.js."
"The directory path to the vnav.js looks to be an integral part of the e-commerce store and something that is not used for one particular customer if you are running a platform to host an e-commerce website," explains Afrahim in the blog post. Therefore, Afrahim has concluded that Volusion was compromised to inject the Magecart script into all of its business clients.
Afrahim found nearly 6,600 web pages that appear to be hosted by Volusion, although the e-commerce provider’s website states over 30,000 merchants are using its services, so the number of infected sites could be much higher.
A long list of Volusion-powered sites that according to Afrahim are likely also injected with Magecart is available here. One such example Bobross.com (yes, the artist Bob Ross), whose painting supplies website is also temporarily down as of the publishing of this article.
SC Media has reached out to Volusion and Sesame Street Live!’s production company, Ellenton, Florida-based Feld Entertainment for comment.
The original version of this article was published on SC Media US.