Magecart actors are using spray and pray tactics to discover misconfigured Amazon S3 buckets and deploy their payment card skimmers.

In April 2019, RiskIQ began tracking a Magecart group campaign in which threat actors took to automatically scanning for publicly accessible S3 buckets. The digital security company found that the purpose of the campaign was to automate these actors’ attempts at compromising websites with payment card skimmers. As RiskIQ notes in its research:

Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.

These techniques helped the threat actors compromise more than 17,000 domains since April 2019. Some of those domains sat in Alexa’s top 2000 rankings at the time of the attacks.

Magecart logo. Source: Google Images

It’s important to note that this campaign favored reach instead of targeting. Indeed, not all of the scripts compromised by the campaign loaded on payment pages. But by targeting so many domains, the malefactors ensured a good ROI even if just a fraction of their skimmers returned payment data.

This malicious activity follows on the heels of several other notable Magecart attacks. In January 2019, for instance, a gang successfully compromised hundreds of e-commerce websites via a malicious script that silently harvested personal data and payment card information as customers bought goods and services online. Several months later, news emerged of how actors had compromised the Forbes magazine subscription website with malicious code designed to siphon off sensitive credit card information as users attempted to sign-up for the paper edition.

The campaign (Read more...)