Magecart actors are using spray and pray tactics to discover misconfigured Amazon S3 buckets and deploy their payment card skimmers.
In April 2019, RiskIQ began tracking a Magecart group campaign in which threat actors took to automatically scanning for publicly accessible S3 buckets. The digital security company found that the purpose of the campaign was to automate these actors’ attempts at compromising websites with payment card skimmers. As RiskIQ notes in its research:
These techniques helped the threat actors compromise more than 17,000 domains since April 2019. Some of those domains sat in Alexa’s top 2000 rankings at the time of the attacks.
It’s important to note that this campaign favored reach instead of targeting. Indeed, not all of the scripts compromised by the campaign loaded on payment pages. But by targeting so many domains, the malefactors ensured a good ROI even if just a fraction of their skimmers returned payment data.
This malicious activity follows on the heels of several other notable Magecart attacks. In January 2019, for instance, a gang successfully compromised hundreds of e-commerce websites via a malicious script that silently harvested personal data and payment card information as customers bought goods and services online. Several months later, news emerged of how actors had compromised the Forbes magazine subscription website with malicious code designed to siphon off sensitive credit card information as users attempted to sign-up for the paper edition.
The campaign detected by RiskIQ highlights the need for organizations to properly configure their S3 buckets and thereby prevent malicious actors from compromising its contents. Security personnel can find an excellent starting point for their efforts here.