Threat Management, Malware, Network Security

Magecart group compromises 17,000 domains by overwriting Amazon S3 buckets

One of the "Magecart" cybercriminal groups has infected more than 17,000 web domains with JavaScript-based payment card-skimming code by developing an automated process for finding and compromising misconfigured Amazon S3 buckets, researchers have reported.

"These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains," writes Yonathan Klijnsma, researcher at RiskIQ, in a company blog post yesterday.

"Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone."

Because the attackers' automated process isn't precisely targeted, not all of the affected web pages have e-commerce payment features. But those that do processing financial transactions present a serious danger to customers and their data.

RiskIQ says the campaign started in early April. By May, there were reports of several thousand websites being infected with Magecart via third-party web services providers such as AdMaxim and Picreel, which had been compromised as part of a series of supply-chain attacks.

The field of 17,000+ affected domains affected by the Amazon S3 compromise campaign includes those websites that were impacted by that previously reported series of attacks, according to RIskIQ. Among the victimizes are websites in the top 2,000 of Alexa rankings.

"Make no mistake: Magecart attacks are only accelerating. Digital skimming is the fastest growing attack type because cybercriminals always follow the money," said Deepak Patel, security evangelist at PerimeterX, in emailed comments. "Enterprises need to better protect their web properties from client-side attacks to prevent the risk of massive fines..."

Earlier this week, researchers from Sanguine Security Labs reported a July 4 automated Magecart card-skimming attack that successfully infiltrated 962 online stores in 24 hours. In this case, some of the victimized websites were reportedly vulnerable to PHP object injection exploits.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.