Magecart group compromises 17,000 domains by overwriting Amazon S3 buckets

News by Bradley Barth

A Magecart cybercriminal group uses JavaScript-based payment card-skimming code to find and compromise misconfigured Amazon S3 buckets

One of the "Magecart" cybercriminal groups has infected more than 17,000 web domains with JavaScript-based payment card-skimming code by developing an automated process for finding and compromising misconfigured Amazon S3 buckets, researchers have reported.

"These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains," writes Yonathan Klijnsma, researcher at RiskIQ, in a company blog post.

"Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone."

Because the attackers’ automated process isn’t precisely targeted, not all of the affected web pages have e-commerce payment features. But those that do processing financial transactions present a serious danger to customers and their data.

RiskIQ says the campaign started in early April. By May, there were reports of several thousand websites being infected with Magecart via third-party web services providers such as AdMaxim and Picreel, which had been compromised as part of a series of supply-chain attacks.

The field of 17,000+ affected domains affected by the Amazon S3 compromise campaign includes those websites that were impacted by that previously reported series of attacks, according to RIskIQ. Among the victimises are websites in the top 2,000 of Alexa rankings.

"Make no mistake: Magecart attacks are only accelerating. Digital skimming is the fastest growing attack type because cybercriminals always follow the money," said Deepak Patel, security evangelist at PerimeterX, in emailed comments. "Enterprises need to better protect their web properties from client-side attacks to prevent the risk of massive fines…"

Earlier this week, researchers from Sanguine Security Labs reported a July 4 automated Magecart card-skimming attack that successfully infiltrated 962 online stores in 24 hours. In this case, some of the victimised websites were reportedly vulnerable to PHP object injection exploits.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop