Threat actors are continuously leveraging misconfigured AWS S3 data storage buckets to slip malicious code into websites, endeavoring to steal credit card details and conduct malvertising campaigns.
- Those three affected websites host content and chat forums related to emergency services provided by police officers, firefighters, and security professionals.
Misconfigured S3 buckets - A treasure trove for attackers
- In July 2019, Magecart conducted a similar campaign by exploiting AWS insecure S3 buckets to feed virtual credit card skimmers on 17,000 domains.
- Started in April 2019, a malicious script called “jqueryapi1oad” was employed in a malvertising operation that has impacted about 277 unique hosts so far. The threat actors behind this code were also using misconfigured S3 buckets.
- Featured in the top 30,000 of global Alexa rankings, futbolred[.]com, a Colombian soccer news site, had a misconfigured AWS S3 storage bucket.
Credit card skimming is the Magecart way
- In March 2020, researchers from Malwarebytes spotted a credit card skimmer embedded in the website of Tupperware, a food storage company. Magecart attackers exploited vulnerabilities in the website to insert their malicious module, which siphoned off credit card details as shoppers filled the payment forms to complete transactions.
Needless to say
Malicious actors have been exploiting misconfigured S3 buckets to insert their code into multiple websites for quite some time now. To alleviate such threats, organizations need to secure S3 buckets as well as use Access Control Lists (ACLs) and bucket policies to allow access to public requests or other AWS accounts. In today’s threat landscape, organizations cannot flourish safely without having an inventory of their digital assets, ensuring they are properly configured and under the surveillance of their security team.