12 July 2019

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

One of the Magecart groups (Magecart is an umbrella term used to cover a number of cybercriminal groups specializing in skimming credit card details from unsecured payment forms on websites) has injected JavaScript-based payment card-skimming code on more that 17, 000 domains, including websites in the top 2,000 of Alexa rankings, using an automated process for finding and compromising misconfigured Amazon S3 buckets.

According to researchers from RiskIQ, who have been closely monitoring the Magecart operations, since the beginning of the campaign in April 2019 this group has continuously been scanning the Internet for unsecure Amazon S3 buckets that allow anyone with an Amazon Web Services account to read or write content to them. Once the attackers find such a bucket, they scan for any JavaScript file, download found files, add their skimming code to the bottom and overwrite the script on the bucket. This is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.

The automated process isn’t precisely targeted so not all of affected websites have transaction-processing features.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment,” explain the researchers.

In a separate report the Zscaler ThreatLabZ research team disclosed technical details of another Magecart campaign that uses a more sophisticated methods for stealing sensitive information from e-commerce sites. In particular, instead of making use of digital skimming code in plain JavaScript, the group has utilised heavily obfuscated JavaScript with encrypted payloads that makes it harder for researchers to identify compromised websites.


Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019