Magecart hackers have compromised thousands of websites with digital skimming code by scanning for misconfigured Amazon S3 buckets, researchers have warned.
First discovered in May, the campaign is far more extensive that originally thought thanks to the automated scanning and exploitation of unsecured cloud storage accounts, explained RiskIQ’s Yonathan Klijnsma.
“These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js),” he explained.
“They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.”
The attacks, which started in April, have managed to compromise a “vast collection of S3 buckets” related to over 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world, Klijnsma said.
However, given the “spray-and-pay” nature of these attacks, the skimming code will not always load on a payment page.
Klijnsma urged organizations to improve security controls over S3 environments. This should include a whitelisting approach which details only the small number of users who should have access to buckets, reviewed periodically.
Write permissions should also be limited.
“The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets,” explained Klijnsma. “Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.”
Finally, administrators can block public access to prevent anyone in their account from opening a bucket to the public, regardless of S3 bucket policy.
The impact of Magecart on the bottom line and corporate reputation was highlighted this week when the ICO fined BA a massive £183m for a digital skimming attack last year that compromised data on 500,000 customers.