17,000 sites compromised by Magecart group

More than 17,000 web domains have been infected with digital skimming code caused by the scanning of misconfigured Amazon S3 buckets. 

RiskIQ’s Yonathan Klijnsma explained that the campaign started in early April 2019, and by May, there were reports of thousands of websites being infected. 

“These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). 

“They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone,” Klijnsma explained. 

Due to the misconfigurations, Amazon S3 buckets are “un-secure”, allowing anyone with an Amazon Web Services account to read or write content to them. 

According to RiskIQ data, the hacking group had compromised a large amount of S3 buckets, impacting over 17,000 domains, including websites in the top 2,000 of Alexa rankings. 

However due to the nature of the attack, many of the compromised scripts do not load payment pages. 

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets. 

“Without greater awareness and an increased effort to implement the security controls needed to protect the content stored in these buckets from theft or alteration by malicious attackers, there will be more—and more impactful— attacks using techniques similar to the ones outlined in this blog.”

Klijnsma has recommended organisations improve security controls to S3 buckets by using a whitelisting approach; rather than listing who shouldn’t have access, list who should have access. 

Additionally Klijnsma recommended organisations to limit those with write permissions;

“Never give write permissions to everyone. The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets. Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.”

Finally, Klijnsma recommended administrators block public access to prevent anyone in their account from opening a bucket to the public, regardless of the S3 bucket policy. 

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.