New Magecart attacks leverage misconfigured S3 buckets to infect over 17K sites

Web card skimming group takes a "pray-and-spray" shotgun approach to breaking into online stores.

shopping cart card magecart

Some Magecart (web card skimming) groups are changing tactics, moving from targeted attacks against carefully selected targets to a "spray-and-pray" approach, hacking everything in their sight, and hoping they manage to place their malicious code on an online store.

And while silly as it sounds, this new "hack all" strategy appears to be paying off, according to a report published today by threat intelligence firm RiskIQ.

The company reported today that Magecart hackers have managed to compromise and plant malicious code on over 17,000 domains over the last few months, since April.

Skimming groups going after misconfigured AWS S3 servers

To achieve such a monumental task, RiskIQ said hackers scanned for misconfigured AWS S3 storage servers, where they added malicious code to JavaScript files used on live websites.

ZDNet unknowingly reported some of these hacks, when they happened, without knowing they were part of a bigger trend and shift in operations.

In May, we reported that several online services had been breached and had JavaScript files injected with malicious code. The code, just like any other Magecart (web skimmer) code, was designed to log card details entered in payment forms and send the data to crooks' servers.

Some of the victims included Picreel, Alpaca Forms, AppLixir, RYVIU, OmniKick, eGain, and AdMaxim. These are companies that provide services to other websites, and just by compromising a few JS files, the malicious code spread to thousands of other sites.

But in a report published today, RiskIQ says these attacks continued throughout the next few months, and the malicious code was later found on more than 17,000 domains, with some of these sites ranked in the Alexa Top 2,000.

New group behind these attacks

The group behind these attacks is a relatively new actor, Yonathan Klijnsma, RiskIQ Head Threat Researcher told ZDNet in an email yesterday.

"They are a group reliant on the Inter Skimmer Kit," Klijnsma, referring to a commercial skimming kit that's been advertised on hacking forums for almost a year [1, 2], and which has been used by a multitude of actors ever since.

But besides using code that they didn't even write, the actual "hacks" aren't that hard to perform either.

What the hackers are doing is no different from what most novice bug hunters and security researchers do for their daily job -- namely using automated AWS S3 scanners to search for S3 buckets that have been misconfigured by their owners.

But while security researchers report these exposed servers for small monetary rewards, the hackers are actively modifying their content.

While some might think this as inneficient, as the hackers would most likely compromise JS files on sites that don't have a payment page, Klijnsma begs to differ.

"This is a brand new twist on Magecart," the researcher said. "Although this group chose reach over targeting, they likely ended up getting their skimmer on enough payment pages to make their attack lucrative."

Web skimming scene is expanding

Furthermore, while some hoped that the web skimming would go out of fashion as hackers moved to a new cybercrime trend, Klijnsma told ZDNet that the web skimming landscape has been "slowly increasing in size."

"We see some old groups making comebacks and improvements but overall there is a low barrier of entry for this," Klijnsma said.

All in all, the RiskIQ researcher says you can split the current web skimmer landscape into four categories:

  1. High tier groups using web skimming as a tool in their arsenal but not the main focus (Group 6, the group who planted a web skimmer on the British Airways website).
  2. Skimming groups with a singular focus on skimming and simply improve their skimmer or methods over time (Group 3, 4).
  3. A lot of noise for the lower tier of criminals buying into the scene with things like the Inter skimming kit.
  4. Self-made / constructed skimmers which have very little yield and sporadically show.

Related malware and cybercrime coverage: