Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.
Affecting this high a number of domains was possible through automated attacks that modified JavaScript code indiscriminately, without checking if it loaded a payment page or not.
Lack of access control
This "spray and pray" Magecart campaign started in early April and took advantage of the fact that many websites using Amazon's cloud storage services failed to properly secure access to their assets.
Researchers at RiskIQ, a company that has been monitoring Magecart attacks since their early days, say that the threat actors automated the discovery of S3 buckets that allowed writing permissions to anyone finding them.
"Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket." - Yonathan Klijnsma, RiskIQ's head of threat research.
Well over 17,000 domains were affected, the more popular of them being on Alexa's top 2,000 ranking list, Klijnsma notes in a
report published today.
It should be noted that not all of them used the compromised JavaScript on payment pages, meaning that the card skimming code would not collect any payment data.
One recommended action to prevent unauthorized editing of files in an Amazon S3 bucket is limiting write permissions to trusted users only.
"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," says Klijnsma.
