One of the "Magecart" cybercriminal groups has infected more than 17,000 web domains with JavaScript-based payment card-skimming code by developing an automated process for finding and compromising misconfigured Amazon S3 buckets, researchers have reported.
"These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains," writes Yonathan Klijnsma, researcher at RiskIQ, in a company blog post yesterday.
"Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone."
Because the attackers' automated process isn't precisely targeted, not all of the affected web pages have e-commerce payment features. But those that do processing financial transactions present a serious danger to customers and their data.
RiskIQ says the campaign started in early April. By May, there were reports of several thousand websites being infected with Magecart via third-party web services providers such as AdMaxim and Picreel, which had been compromised as part of a series of supply-chain attacks.
The field of 17,000+ affected domains affected by the Amazon S3 compromise campaign includes those websites that were impacted by that previously reported series of attacks, according to RIskIQ. Among the victimizes are websites in the top 2,000 of Alexa rankings.
"Make no mistake: Magecart attacks are only accelerating. Digital skimming is the fastest growing attack type because cybercriminals always follow the money," said Deepak Patel, security evangelist at PerimeterX, in emailed comments. "Enterprises need to better protect their web properties from client-side attacks to prevent the risk of massive fines..."
Earlier this week, researchers from Sanguine Security Labs reported a July 4 automated Magecart card-skimming attack that successfully infiltrated 962 online stores in 24 hours. In this case, some of the victimized websites were reportedly vulnerable to PHP object injection exploits.