Magecart hackers found out how to get to Sesame Street’s online store – and in all likelihood thousands more merchants – by initially compromising e-commerce and shopping cart service provider Volusion to deliver the credit card-skimming code.

Israel-based security researcher Marcel Afrahim, who for his day job works as a research developer at Check Point Software Technologies, recently discovered the skimming scam after shopping for toys on sesamestreetlivestore.com, the official e-commerce website for the Sesame Street Live! touring show. The store, which has been temporarily taken down, runs on an e-commerce platform from Austin-based software company Volusion. (Related site www.sesamestreetlive.com is apparently unaffected and still up and running.)

Afrahim noticed that during checkout process, a suspicious JavaScript file was loaded from a Google Cloud Storage domain name. The file, resources.jr, pretends to be a JavaScript API for handling cookies. But in reality, it’s skimmer code that’s designed to post credit card information entered by the user to a domain registered as Volusion-Cdn[.]com. But this domain has nothing to do with the legitimate Volusion; it is an attacker-controlled URL.

“The URL looks like analytics or domain tracking URL and even an analyst might just ignore it as it is,” writes Afrahim in a Medium blog post. “To an untrained eye, this does not look suspicious. Even most analysts would agree that this how legitimate analytics and web tracking traffic look like these days.”

Afrahim discovered that the card-skimmer script that was injected into the Sesame Street e-commerce page was initially stored at “https://www.sesamestreetlivestore.com/a/j/vnav.js.”

“The directory path to the vnav.js looks to be an integral part of the e-commerce store and something that is not used for one particular customer if you are running a platform to host an e-commerce website,” explains Afrahim in the blog post. Therefore, Afrahim has concluded that Volusion was compromised to inject the Magecart script into potentially all of its business clients.

Afrahim found nearly 6,600 web pages that appear to be hosted by Volusion, although the e-commerce provider’s website states over 30,000 merchants are using its services, so the number of infected sites could be much higher.

A long list of Volusion-powered sites that according to Afrahim are conceivably also injected with Magecart is available here. One such example Bobross.com (yes, the artist Bob Ross), whose painting supplies website is also temporarily down as of the publishing of this article.

Volusion has provided SC Media with a statement that asserts only a portion of its business customer base was affected: “Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. We are coordinating with authorities on this matter, and continue to enhance our systems that detect and prevent unauthorized access to user accounts,” the statement reads. “A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter. Volusion has taken action to help secure accounts, and we are continuing to monitor this matter in order to assure the security of our merchants.”

SC Media also reached out to Sesame Street Live!’s production company, Ellenton, Florida-based Feld Entertainment for comment.