Customer credit card data from a hack of Volusion, an eCommerce platform built specifically for SMBs and use of the Google Cloud Platform, which started on September 7th, 2019 until it was discovered in October of the same year is now for sale on the dark web. It’s believed that the notorious FIN6 cyber crime gang is responsible for the hack, which placed a malicious javascript credit card skimmer code stored on a Google storage service onto an estimated 6,589 online stores.
“The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated,” the online publication Trendmicro said in a report about the discovery of the theft in October, 2019. “When customers submit their payment information, the skimmer will copy and send the personal information and credit card details to an exfiltration server belonging to the attackers.”
FIN6 is known for it’s highly skilled cyber thieves, and has hacked global enterprise brands such as British Airways. It’s estimated that the credit card details of more than 20 million online customers. In addition, the value of stolen benefits that can be traced back to the hack is estimated at more than $1.5 million.
The attack resulted from a breach of Volusion’s infrastructure. Detection was tricky, because the sophisticated work done by the thieves made it a far more difficult hack to detect than ordinary skimming attacks. Specifically, the javascript file used to compromise the sites was expertly designed to look normal, even to trained analysts.
This is not the first time that Google Cloud Storage has been targeted by hackers. Unfortunately, the scalability makes it very enticing for stealing large amounts of data.
“Anyone can signup and chose a unique bucket name and serve content with the performance and scalability of Google’s cloud,” said Marcel Afrahim in a Medium post about the hack. “Google Cloud Storage (and other Cloud storage providers) has been abused before where threat actors or malware authors distribute malicious code or actual malware through these legitimate services.”
The hack is just one more in a long line of high-profile blunders by the eCommerce department at companies both small and large (such as Macy’s and MasterCard) who continue to ignore security best practices for preventing skimming attacks.
Sources: