Volusion Magecart Breach Could Net Fraudsters $130m+

Fraudsters have already made $1.6m from cards stolen via a Magecart supply chain attack on popular e-commerce platform Volusion, and the figure could rise more than 100-fold over the coming months, according to new research.

The attack on Volusion’s cloud platform was described by dark web intelligence firm Gemini Advisory as “one of the largest and most wide-ranging supply-chain breaches to date.”

It ran from September to October last year and is thought to have affected at least 6589 online merchants using the platform. The MO was similar to many Magecart supply chain attacks: the hackers injected malicious digital skimming code into a Volusion JavaScript library, meaning visitors to those 6000+ sites had their card details silently exfiltrated as they entered them.

Affected companies ranged from golf stores and clothing retailers to online vape shops and even a site dedicated to monster trucks. The vast majority of cards (99%) were US-issued, reflecting the location of these businesses.

Although the stolen card details didn’t appear on the dark web immediately, from November 2019 onwards, over 239,000 compromised CNP records were being offered for sale on the cybercrime underground, according to the research.

The $1.6m already generated by fraudsters off the back of this haul is likely to be just the tip of the iceberg, warned Gemini Advisory.

“The average CNP breach affecting small- to mid-sized merchants compromises 3000 records; scaling this figure to the 6589 merchants using Volusion affected by this breach, the potential number of compromised records is up to nearly 20 million. Given this figure, the maximum profit potential would be as high as $133.9m,” it explained.

“The overwhelming and continually rising dark web demand for CNP records indicates a staggering profit potential for the perpetrators of this security incident. As more records make their way to the dark web and more merchants are confirmed to have been compromised via Volusion, the full extent of what is likely to be one of the largest and most wide-ranging supply-chain breaches to date will become clear.”

What’s Hot on Infosecurity Magazine?