Magecart group compromised 17,000 sites through misconfigured Amazon S3 buckets

• The card-skimming group scanned for vulnerable S3 buckets in order to infect websites with skimming scripts.
• The attackers opted for a more, wider reach to victim sites instead of going for targeted attacks.

A recent Magecart campaign has impacted over 17,000 websites. This campaign leveraged unsecured Amazon S3 buckets for infecting the sites with card skimming code. Some of the affected websites are also listed in Alexa’s top 2000 rankings.

According to RiskIQ, which came across this campaign in May this year, the attackers behind this campaign have shifted their focus from carrying out targeted attacks to a new approach for a wide reach of victim sites.

The big picture

• RiskIQ suggests that threat actors behind this campaign scanned for misconfigured Amazon S3 buckets for infection. These exposed S3 buckets allowed anyone with an Amazon Web Services (AWS) account to view and edit the files they contained.
• After finding an unsecured S3 bucket, the attackers looked for JavaScript files. Upon encountering these files, they downloaded them and appended card-skimming code. After that, they overwrote the original scripts.
• With this method, Magecart compromised more than 17,000 websites through misconfigured S3 buckets.

Worth noting

In his blog, security researcher Yonathan Klijnsma of RiskIQ opines on why the Magecart group went with more reach than accuracy by targeting S3 buckets.

“The actors used this technique to cast as wide a net as possible, but many of the compromised scripts do not load on payment pages. However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment,” wrote Klijnsma.