So called Magecart hackers are continuing to take advantage of poorly-secured AWS S3 data storage buckets in order to ins ert malicious code into websites in an attempt to steal credit card data or to launch malvertising attacks, according to a new research from RiskIQ.
Amazon S3 buckets are public cloud storage resources available in AWS Simple Storage Service, and in many cases they are not sufficiently secured by their owners, which creates an opportunity for malicious actors to use vulnerable S3 buckets for nefarious deeds.
Last year, RiskIQ observed a Magecart campaign leveraging misconfigured S3 buckets to insert JavaScript credit card skimmers on hundreds of websites. The researchers identified another strain of malicious code using the same S3 bucket attack vector, often appearing alongside the Magecart skimming code. This malicious code, ‘jqueryapi1oad,’ was related to a long-running Hookads malvertising campaign, historically linked to a number of exploit kits and other malicious behavior.
In May, 2020 the researchers discovered that three compromised websites belonging to Endeavor Business Media were infected with Magecart skimming code. The affected sites host emergency services-related content and chat forums catering to firefighters, police officers, and security professionals, according to RiskIQ.
The jqueryapi1oad redirector first surfaced in April 2019 and has been connected to more than 270 unique hosts to date.
“The code itself performs a bot check and sets the jqueryapi1oad cookie along with an expiration period based on the outcome of the check. It then creates a new element in the DOM of the page in to which it’s injected and pulls the new content from the gold.platinumus[.]top/track/awswrite URL,” the researchers said.
The code then downloads an additional JavaScript code that, in turn, loads a cookie associated with Keitaro traffic distribution system to redirect traffic to scam ads tied to Hookads malvertising campaign.
The research team has reached out to Endeavor Business Media regarding the issue, but has not heard back from the company. Because of this, RiskIQ is now working with Swiss non-profit cybersecurity firm Abuse.ch to sinkhole the malicious domains associated with the campaign.