INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesImage caption
Malicious cookies stole credit card information from thousands of online
stores
The official Sesame Street online store, along with thousands of other retailers, has been targeted by a credit
card-stealing hack.Card details were collected by a piece of malicious software, dubbed JavaScript Cookie.The code was found in shopping
cart software built by Volusion, which has 20,000 small business customers.The issue was spotted by a security researcher while shopping for
toys on the Sesame Street store.Volusion said that it had resolved the issue "within a few hours of notification" although its statement
came a day after the revelations."We are coordinating with authorities on this matter, and continue to enhance our systems that detect and
prevent unauthorised access to user accounts," it told the TheIndianSubcontinent.It confirmed that credit card information had been stolen
but "not other associated personally identifying details", adding that it was not aware "of any fraudulent activity" connected to it.Marcel
Afrahim, a researcher at security firm Check Point, noticed the malicious code when he was browsing on the Sesame Street Live store.In a
blog, he wrote: "The compromise is not only unique to Sesame Street Store, and most likely any e-commerce website hosted on Volusion is
probably running malicious code and posting the credit card info of the consumers to the outsider domain."He added that he had contacted
Volusion but "it had not been responsive to take down down the malicious code."The Sesame Street site is currently not active
Instead visitors see a message that reads: "We are currently performing scheduled maintenance and updates on the website."Volusion provides
shopping cart software to thousands of merchants, and according to Mr Afrahim has had 185 million orders placed via its software, amounting
to $28bn in transactions.Two other security researchers, from Trend Micro and RiskIQ, also confirmed the issue to ZDNet, which was first to
