Carpet bombing via misconfigured Amazon S3 buckets
Misconfigured Amazon S3 buckets managed by third-party web suppliers are being targeted with Magecart to attack thousands of e-commerce sites en-masse.
Magecart is a well-documented technique that sees cybercriminals implement card-skimming code into the payment page on target websites.
This new “spray and pray" method, as coined by threat management firm RiskIQ, contrasts with the targeted campaigns associated with previous Magecart operations.
Cybercriminals are using the attack to cast the widest possible net, accepting the disadvantage of the approach, which is that many payload scripts will fail to load on payment pages.
Even so, the group “has managed to compromise a vast collection of S3 buckets to impact well over 17,000 domains”, according to RiskIQ, which spotted the attack.
RiskIQ, which first warned of the tactic in mid-May, went public with an updated analysis earlier this week, warning that the attack was even more intensive than previously feared.
Some of the impacted websites are in the top 2,000 of Alexa rankings, implying the assault is far from restricted to obscure web shops.
RiskIQ warns that further attacks against the same lines are inevitable in a blog post that goes on to provide security advice on how to protect potentially vulnerable buckets.
The Magecart technique has already seem thousands of victims’ payment details compromised via attacks on popular websites Ticketmaster, British Airways, and Vision Direct, as well as smaller e-commerce site.