Once Again Hackers Exploit Misconfigured AWS S3 Buckets

Threat actors are continuously leveraging misconfigured AWS S3 data storage buckets to slip malicious code into websites, endeavoring to steal credit card details and conduct malvertising campaigns.

What’s happening?

  • In May, researchers from the cybersecurity firm, RiskIQ, discovered three compromised websites, owned by Endeavor Business Media, hosting JavaScript skimming code. This classic method is embraced by Magecart, an association of several hacker groups that target online shopping cart systems.
  • Those three affected websites host content and chat forums related to emergency services provided by police officers, firefighters, and security professionals.
  • In virtual credit card skimming attacks, also called formjacking, Magecart operators secretly insert JavaScript code into a compromised website — usually on payment pages — to steal customers’ card details, which is later transferred to a remote hacker-controlled server.

Misconfigured S3 buckets - A treasure trove for attackers

  • In July 2019, Magecart conducted a similar campaign by exploiting AWS insecure S3 buckets to feed virtual credit card skimmers on 17,000 domains.
  • Started in April 2019, a malicious script called “jqueryapi1oad” was employed in a malvertising operation that has impacted about 277 unique hosts so far. The threat actors behind this code were also using misconfigured S3 buckets.
  • Featured in the top 30,000 of global Alexa rankings, futbolred[.]com, a Colombian soccer news site, had a misconfigured AWS S3 storage bucket.

Credit card skimming is the Magecart way

  • NutriBullet, the blender company, suffered a Magecart attack in February 2020. Weeks later, RiskIQ discovered a JavaScript skimmer placed in the NutriBullet website. To ensure that the skimmer is inserted on the payment page, Magecart targeted a resource — jQuery JavaScript library —  that every page on the site uses.
  • In March 2020, researchers from Malwarebytes spotted a credit card skimmer embedded in the website of Tupperware, a food storage company. Magecart attackers exploited vulnerabilities in the website to insert their malicious module, which siphoned off credit card details as shoppers filled the payment forms to complete transactions.

Needless to say

Malicious actors have been exploiting misconfigured S3 buckets to insert their code into multiple websites for quite some time now. To alleviate such threats, organizations need to secure S3 buckets as well as use Access Control Lists (ACLs) and bucket policies to allow access to public requests or other AWS accounts. In today’s threat landscape, organizations cannot flourish safely without having an inventory of their digital assets, ensuring they are properly configured and under the surveillance of their security team.