Magecart Hackers Scan for Misconfigured S3 Buckets
Magecart hackers have compromised thousands of websites with digital skimming code by scanning for misconfigured Amazon S3 buckets, researchers have warned.
First discovered in May, the campaign is far more extensive that originally thought thanks to the automated scanning and exploitation of unsecured cloud storage accounts, explained RiskIQ’s Yonathan Klijnsma.
The attacks, which started in April, have managed to compromise a “vast collection of S3 buckets” related to over 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world, Klijnsma said.
However, given the “spray-and-pay” nature of these attacks, the skimming code will not always load on a payment page.
Klijnsma urged organizations to improve security controls over S3 environments. This should include a whitelisting approach which details only the small number of users who should have access to buckets, reviewed periodically.
Write permissions should also be limited.
“The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets,” explained Klijnsma. “Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.”
Finally, administrators can block public access to prevent anyone in their account from opening a bucket to the public, regardless of S3 bucket policy.
The impact of Magecart on the bottom line and corporate reputation was highlighted this week when the ICO fined BA a massive £183m for a digital skimming attack last year that compromised data on 500,000 customers.
Source: Information Security Magazine