Check Point security researcher Marcel Afrahim discovered the compromise while shopping on Sesame Street Live Store, a website from Feld Entertainment that sells official Sesame Street merchandise. The store is built with Volusion, who even provides the nameservers. On the checkout page, Afrahim noticed JavaScript code loading from Google Cloud Storage (storage.googleapis.com), a file storage web service for storing and accessing data on Google Cloud Platform infrastructure. The oddity was that this was the only resource loaded from a source other than 'sesamestreetlivestore.com' or 'volusion.com' affiliated websites. |
On the company page, Volusion boasts 30,000 merchants actively using the platform. They are from a variety of fields and the dedicated page shows merchants selling products in the apparel, home and garden, health and beauty, auto and industry, and electronics categories. From our checks, not all of them are still in business. Following reports from news outlets and security researchers, Volusion addressed the issue a few hours ago. Before that, Google took steps and displayed the red 'malware danger' warning when visiting websites loading the malicious JavaScript. |