Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets

Pierluigi Paganini July 13, 2019

The Magecart continues to target websites worldwide, it infected over 17,000 domains by targeting improperly secured Amazon S3 buckets. 

The Magecart gang made the headlines again, according to a new report published by RiskIQ, it has infected over 17,000 domains by targeting improperly secured Amazon S3 buckets

A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.

According to RiskIQ, since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.

“However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets.” reads the analysis published by RiskIQ. “These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.”

The attackers scan the web for misconfigured buckets containing any JavaScript files, then download the files, modify them by appending the skimming code to the bottom, and overwrite the script on the bucket.

RiskIQ experts believe threat actors have already compromised a large number of S3 buckets affecting over 17,000 domains, including websites in the top 2,000 of Alexa rankings.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment.” concludes RiskIQ.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets.”

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify​​

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment