Automated Magecart spree hit thousands of sites via misconfigured cloud servers, RiskIQ says

Written by

One of the most notorious e-commerce scams has expanded into a “mass compromise” that preys on vulnerable cloud infrastructure to skim data from thousands of websites, according researchers with security vendor RiskIQ.

Hackers using so-called Magecart techniques have infiltrated more than 17,000 sites by sneaking into misconfigured cloud repositories, reports the San Francisco-based company. The crooks are automatically scanning the web for vulnerable Amazon Web Services S3 buckets and adding malicious code that captures financial information, the researchers say.

While AWS does have automatic protections for S3 buckets, it’s common for the repositories to be misconfigured and thus vulnerable to outsiders. Many e-commerce sites use S3 buckets to store sensitive data. The thieves started compromising insecure buckets in April, RiskIQ says.

This campaign, which RiskIQ says has affected websites in Alexa’s top 2,000 internet rankings, is the latest Magecart-style attack after previous incidents at British Airways, Ticketmaster, and other international shipping sites. “Magecart” doesn’t refer to a single cybercriminal gang, but a style of hacking employed by at least 12 separate groups that inject a small amount of malware into third-party services, like advertisements or analytics on digital checkouts, to quietly collect financial data.

The move to siphon data from S3 buckets represents a notable step forward, according to RiskIQ.

“It’s a mass, mass compromise,” Yonathan Klijnsma, a threat researcher at RiskIQ, said during a recent interview about the campaign revealed Thursday. “It’s quite effective.”

Klijnsma said “an isolated group” is behind this S3 crime spree.

RiskIQ did not identify any of the organizations that had been hacked as a result of the misconfigured S3 buckets. The security company says its working with AWS and the affected firms to mitigate the attacks as they’re observed.

This research disclosure comes just days after the U.K. Information Commissioner’s Office announced its intent to fine British Airways £183.39 million ($229.2 million) under the General Data Protection Regulation for the company’s security posture before Magecart hackers stole information about roughly 500,000 people.

Sanguine Security Labs last week said it detected another automated Magecart campaign that compromised more than 900 websites.

The attacks likely will continue, barring any sudden major change in the way payments are processed online. Magecart attacks use a generalized skimming code that, once installed by thieves, is designed to work inside a variety of websites that process cards. The malware skims names, numbers, addresses and other sensitive data from transactions.