Magecart attack on e-commerce service impacts Sesame Street store and many more

News by Bradley Barth

Magecart hackers infiltrated Sesame Street's online store by compromising e-commerce and shopping cart service provider Volusion

Magecart hackers found out how to get to Sesame Street’s online store – and in all likelihood thousands more merchants – by initially compromising e-commerce and shopping cart service provider Volusion to deliver the credit card-skimming code.

Israel-based security researcher Marcel Afrahim, who for his day job works as a research developer at Check Point Software Technologies, recently discovered the skimming scam after shopping for toys on, the official e-commerce website for the Sesame Street Live! touring show. The store, which has been temporarily taken down, runs on an e-commerce platform from Austin-based software company Volusion. (Related site is apparently unaffected and still up and running.)

Afrahim noticed that during checkout process, a suspicious JavaScript file was loaded from a Google Cloud Storage domain name. The file, resources.jr, pretends to be a JavaScript API for handling cookies. But in reality, it’s skimmer code that’s designed to post credit card information entered by the user to a domain registered as Volusion-Cdn[.]com. But this domain has nothing to do with the legitimate Volusion; it is an attacker-controlled URL.

"The URL looks like analytics or domain tracking URL and even an analyst might just ignore it as it is," writes Afrahim in a Medium blog post. "To an untrained eye, this does not look suspicious. Even most analysts would agree that this how legitimate analytics and web tracking traffic look like these days."

Afrahim discovered that the card-skimmer script that was injected into the Sesame Street e-commerce page was initially stored at ""

"The directory path to the vnav.js looks to be an integral part of the e-commerce store and something that is not used for one particular customer if you are running a platform to host an e-commerce website," explains Afrahim in the blog post. Therefore, Afrahim has concluded that Volusion was compromised to inject the Magecart script into all of its business clients.

Afrahim found nearly 6,600 web pages that appear to be hosted by Volusion, although the e-commerce provider’s website states over 30,000 merchants are using its services, so the number of infected sites could be much higher.

A long list of Volusion-powered sites that according to Afrahim are likely also injected with Magecart is available here. One such example (yes, the artist Bob Ross), whose painting supplies website is also temporarily down as of the publishing of this article.

SC Media has reached out to Volusion and Sesame Street Live!’s production company, Ellenton, Florida-based Feld Entertainment for comment.

The original version of this article was published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews