A prolific credit-card theft ring is scanning for unsecured “buckets” in Amazon’s cloud and has compromised 17,000 domains (so far)

Magecart is the hacker gang that pulled off the British Airways and Ticketmaster credit-card heists; now they’ve build an Amazon cloud scanner that systematically probes S3 storage “buckets” for configuration errors that allow them to overwrite any Javascript files they find with credit-card stealing malware.

Security researchers Riskiq have identified 17,000 domains that they say Magecart has compromised this way, including 2,000 of “the world’s biggest sites.” It’s not clear how many of those actually have credit-card processing scripts that would allow Magecart to steal card details from their customers.

Amazon S3 buckets are secure by default. Companies run into trouble when they actively change those permissions, either somewhere in the development process or when they hand off cloud work to a third-party contractor. Those Amazon S3 bucket misconfigurations have caused plenty of problems before. The fallout, though, was usually limited to the exposure of personally identifiable information, huge databases of usernames and passwords and birthdays and Social Security numbers that wind up for sale, or for free, on the dark web and elsewhere. That’s because those goofs typically give read permission to interlopers, but not the ability to write code. The Magecart hackers figured out a way to scan for misconfigurations that do both—and now they know 17,000 vulnerable domains.

“This is a whole new level of misconfiguring,” says Klijnsma. “These buckets are pretty much owned by anybody who talks to it, which is on a different scale, a different type of data leakage. Pretty much anybody can do anything in those S3 buckets, and the reach of those is quite big.”

Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains—and Counting [Brian Barrett/Wired]

(Image: Mary Rose Trust, CC-BY-SA, modified)