Over 17,000 Domains Infected with Code that Steals Card Data – Digitalmunition

News Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site

Published on August 12th, 2019 📆 | 7569 Views ⚑


Over 17,000 Domains Infected with Code that Steals Card Data

Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Affecting this high a number of domains was possible through automated attacks that modified JavaScript code indiscriminately, without checking if it loaded a payment page or not.

Lack of access control

This “spray and pray” Magecart campaign started in early April and took advantage of the fact that many websites using Amazon’s cloud storage services failed to properly secure access to their assets.

Researchers at RiskIQ, a company that has been monitoring Magecart attacks since their early days, say that the threat actors automated the discovery of S3 buckets that allowed writing permissions to anyone finding them.

“Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket.” – Yonathan Klijnsma, RiskIQ’s head of threat research.

Well over 17,000 domains were affected, the more popular of them being on Alexa’s top 2,000 ranking list, Klijnsma notes in a report published today.

It should be noted that not all of them used the compromised JavaScript on payment pages, meaning that the card skimming code would not collect any payment data.

One recommended action to prevent unauthorized editing of files in an Amazon S3 bucket is limiting write permissions to trusted users only.

“Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content,” says Klijnsma.

Automated Magecart campaigns

Automation is the next logical step in the evolution of the Magecart threat, Willem de Groot – a researcher at Sanguine Security that tracks online payment skimming and fraud, told BleepingComputer in a previous conversation.

Whether it’s insecure cloud storage or vulnerabilities in e-commerce platforms, the industry becomes more mature and this type of attacks is expected to become more frequent.

At the beginning of the month, Sanguine Security – a company that offers e-commerce fraud protection, published a report about a large-scale Magecart campaign that compromised 962 online stores.

The data-thieving script was added in a period of 24 hours, which suggests that it was added automatically. de Groot told BleepingComputer at the time that that short a time would make it nearly impossible to manually breach more than 960 stores.

Klijnsma said of the attack that behind that campaign was a hacker outfit known as Magecart 7, who have used in the past automated exploits for known vulnerabilities.

Source link

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *