"These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains," writes Yonathan Klijnsma, researcher at RiskIQ, in a company blog post yesterday.
Because the attackers' automated process isn't precisely targeted, not all of the affected web pages have e-commerce payment features. But those that do processing financial transactions present a serious danger to customers and their data.
RiskIQ says the campaign started in early April. By May, there were reports of several thousand websites being infected with Magecart via third-party web services providers such as AdMaxim and Picreel, which had been compromised as part of a series of supply-chain attacks.
The field of 17,000+ affected domains affected by the Amazon S3 compromise campaign includes those websites that were impacted by that previously reported series of attacks, according to RIskIQ. Among the victimizes are websites in the top 2,000 of Alexa rankings.
"Make no mistake: Magecart attacks are only accelerating. Digital skimming is the fastest growing attack type because cybercriminals always follow the money," said Deepak Patel, security evangelist at PerimeterX, in emailed comments. "Enterprises need to better protect their web properties from client-side attacks to prevent the risk of massive fines..."
Earlier this week, researchers from Sanguine Security Labs reported a July 4 automated Magecart card-skimming attack that successfully infiltrated 962 online stores in 24 hours. In this case, some of the victimized websites were reportedly vulnerable to PHP object injection exploits.