Magecart compromises 17,000 domains via the misconfigured S3 Buckets

New Magecart campaign automatically scans for misconfigured Amazon S3 buckets to inject JavaScript-based card skimmer

The new campaign from Magecart focuses on broader attacks: misconfigured Amazon S3 buckets are used to insert the malicious skimmer into more than 17,000 websites

Magecart is a well-known phenomenon by now, and, since it is not tied to a particular malware or a cybercriminal group, it rather refers to a process of malicious card-skimming code injection into various websites in order to obtain visitors' financial information. The campaign has been monitored by RiskIQ experts for a few years now, and, according to new findings by the research team, Magecart utilized new tricks to inject the skimmers into sites.

According to researchers,^[1] Magecart is now automatically scanning the web with specially designed software to find not secured Amazon S3 buckets, which consequently allows the attackers to write and change the content inside them, .js files in particular.

At the time of the writing, Magecart managed to compromise over 17,000 domains in the past few months alone using this technique, and some of the sites are in the top 2,000 of Alexa rankings.

Magecart is one of the most prominent campaigns that target e-commerce sites, in the past victim of which was such high-profile organizations like British Airways^[2] and Ticketmaster.^[3] While various techniques were used before, the current campaign has the potential to inflict a maximum amount of damage by stealing sensitive details of millions.

The campaign was first spotted in April but automated just recently

The new surge of infections started in April 2019, when security analysts from RiskIQ noticed a widespread campaign launched at various web-based supplies, such as AdMaxim or AppLixir.^[4] However, it tuned out it is much broader than initially thought, as bad actors managed to automate the infection process.

Misconfigured S3 buckets are perfect targets for Magecart, as all they need is a working Amazon Web Services account to perform modifications inside the document. Once the compromised database is located, hackers enter it to modify a .js file:

Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.

Misconfigured Amazon S3 buckets have been a growing cause of concern for security researchers, as they allow attackers to harvest most sensitive information and tamper with initial files. For example, a recent story we covered^[5] follows Attunity – a data management company that exposed details of such giants like Netflix or Pfizer.

While effective, S3 bucket scan does not allow Magecart to perform targeted attacks

In most cases, attackers engage in targeted attacks, particularly on those sites which use an online checkout feature. While the technique involving S3 buckets can be performed on a large scale, it does not mean that the compromised .js file will be used on e-commerce site, where all the credit card details can be obtained.

In particular, the card-skimming code needs to load on the payment page, otherwise, the information harvesting is not possible. Despite that, the widespread nature of the attacks makes an effort worthwhile, as the process is automated and will still bring profits to hackers.

Researchers from RiskIQ point out that this campaign shows how easy it is to compromise any website on the internet, even the ones that are at the top rankings. Thus, more security measures and awareness should be practiced among even the most prominent domains. As long as Amazon S3 buckets are left unsecured, bad actors will keep attacking them, with possibly much worse ramifications.