Published on August 12th, 2019 📆 | 7569 Views ⚑0
Over 17,000 Domains Infected with Code that Steals Card Data
Lack of access control
This “spray and pray” Magecart campaign started in early April and took advantage of the fact that many websites using Amazon’s cloud storage services failed to properly secure access to their assets.
Researchers at RiskIQ, a company that has been monitoring Magecart attacks since their early days, say that the threat actors automated the discovery of S3 buckets that allowed writing permissions to anyone finding them.
Well over 17,000 domains were affected, the more popular of them being on Alexa’s top 2,000 ranking list, Klijnsma notes in a report published today.
One recommended action to prevent unauthorized editing of files in an Amazon S3 bucket is limiting write permissions to trusted users only.
“Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content,” says Klijnsma.
Automated Magecart campaigns
Automation is the next logical step in the evolution of the Magecart threat, Willem de Groot – a researcher at Sanguine Security that tracks online payment skimming and fraud, told BleepingComputer in a previous conversation.
Whether it’s insecure cloud storage or vulnerabilities in e-commerce platforms, the industry becomes more mature and this type of attacks is expected to become more frequent.
At the beginning of the month, Sanguine Security – a company that offers e-commerce fraud protection, published a report about a large-scale Magecart campaign that compromised 962 online stores.
The data-thieving script was added in a period of 24 hours, which suggests that it was added automatically. de Groot told BleepingComputer at the time that that short a time would make it nearly impossible to manually breach more than 960 stores.
Klijnsma said of the attack that behind that campaign was a hacker outfit known as Magecart 7, who have used in the past automated exploits for known vulnerabilities.