12 July 2019

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

One of the Magecart groups (Magecart is an umbrella term used to cover a number of cybercriminal groups specializing in skimming credit card details from unsecured payment forms on websites) has injected JavaScript-based payment card-skimming code on more that 17, 000 domains, including websites in the top 2,000 of Alexa rankings, using an automated process for finding and compromising misconfigured Amazon S3 buckets.

According to researchers from RiskIQ, who have been closely monitoring the Magecart operations, since the beginning of the campaign in April 2019 this group has continuously been scanning the Internet for unsecure Amazon S3 buckets that allow anyone with an Amazon Web Services account to read or write content to them. Once the attackers find such a bucket, they scan for any JavaScript file, download found files, add their skimming code to the bottom and overwrite the script on the bucket. This is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.

The automated process isn’t precisely targeted so not all of affected websites have transaction-processing features.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment,” explain the researchers.

In a separate report the Zscaler ThreatLabZ research team disclosed technical details of another Magecart campaign that uses a more sophisticated methods for stealing sensitive information from e-commerce sites. In particular, instead of making use of digital skimming code in plain JavaScript, the group has utilised heavily obfuscated JavaScript with encrypted payloads that makes it harder for researchers to identify compromised websites.


Back to the list

Latest Posts

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019
Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

The new Emotet campaign targeеы Germany, the United Kingdom, Poland, Italy, and the USA.
17 September 2019
Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

Astaroth info stealing trojan uses Facebook, YouTube profiles to avoid detection

The malware uses legitimate services to cover its malicious activity.
16 September 2019