1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Magecart uses 'Shotgun Approach' to breach more than 17,000 websites

By Cal Jeffrey
Jul 11, 2019
Post New Reply
  1. On May 14, security firm RiskIQ discovered seven third-party web suppliers that had had their payment scripts injected with skimmer code. Since these providers supply vending scripts to other companies, thousands of websites might have been compromised. However, after monitoring the situation, researchers found that the scope of the attacks was much broader than initially reported.

    The credit card skimming group Magecart is allegedly behind the injection campaign. You may recall Magecart as the group responsible for breaches spanning over the last several months into various companies including British Airways, Newegg, Quest Diagnostics, and others.

    The hackers have reportedly automated their methods, which continually scan for misconfigured Amazon S3 buckets. The process looks for accounts that have their read/write privileges unsecured. It then runs a scan for any JavaScript files. The .js scripts are downloaded, appended with skimming code, and re-uploaded without alerting the websites or admins.

    "The widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets."

    Researchers refer to this as the “Shotgun Approach.” Magecart is favoring quantity over accuracy. Even though many of the injections will fail with this strategy, the group is counting on a small fraction to provide a substantial return.

    "The widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets," said RiskIQ in a press release. "Without greater awareness and an increased effort to implement the security controls needed to protect the content stored in these buckets from theft or alteration by malicious attackers, there will be more—and more impactful—attacks using techniques similar [to Magecart's]."

    This campaign has been going on since early April. RiskIQ has been monitoring the activity in cooperation with Amazon and has been notifying websites that have been attacked as they are discovered. So far the security group has uncovered numerous compromised S3 buckets affecting well over 17,000 websites. Several of the websites are list in the top 2,000 Alexa rankings.

    RiskIQ urges S3 bucket owners to be sure their access controls are tight by whitelisting rather than blacklisting, strictly limiting write privileges, and enabling Amazon's public access filter. Amazon also has a page dedicated to informing users how to secure their S3 bucket resources.

    Permalink to story.

     
  2. jobeard

    jobeard TS Ambassador Posts: 12,891   +1,530

    FYI: S3 bucket is an AWS component for storage.
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...