Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets

Researchers Find Skimmers Designed to Skim Payment Data in 17,000 Domains
RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets

A cybercriminal gang associated with the umbrella organization known as Magecart has been inserting malicious JavaScript into unsecured Amazon Web Service S3 buckets to skim payment data, according to research published by RiskIQ Thursday.

See Also: How to Build Your Cyber Recovery Playbook

Security researchers have been tracking this latest development since at least May. So far, they’ve identified about 17,000 domains infected with JavaScript skimmers – also referred to as JavaScript sniffers or JS sniffers, RiskIQ reports. This malicious code is proficient at sweeping up payment card data that includes name, card number, expiration date and CVV information, researchers say.

Once a gang finds a misconfigured Amazon S3 bucket without proper password protection and authentication, it can read or write content to them without much difficulty, according to RiskIQ.

In addition, this particular group is going beyond targeting e-commerce and other online shopping sites. The RiskIQ analysis found that many of the unsecured S3 buckets belonged to companies listed in the Alexa Top 2000 list of popular websites.

RiskIQ is working with Amazon Web Services in an attempt to contact the owners of these unsecured databases to help secure the buckets and remove the malicious code, says Yonathan Klijnsma, a threat researcher at RiskIQ who’s been tracking Magecart and skimmer attacks over the last several months.

"The approach is broad, and unlike past Magecart attacks, there is no filtering to e-commerce only, so the impact could have been so much bigger than just an e-commerce skimming breach," Klijnsma tells Information Security Media Group. "We've seen the skimmers end up on very popular websites but not on a payment page, which means it did not skim any data.”

Tracking Magecart Groups

Most of these JS-sniffer or skimmer attacks are associated with an umbrella organization known as Magecart, which comprises 12 cybercriminal "families" that have been extremely active over the last year to 18 months (see: E-Commerce JavaScript Sniffer Attacks Proliferate: Report).

Klijnsma calls the new gang that RiskIQ discovered "Magecart Group 13." But he says there are likely more than 13 gangs operating under the same umbrella and using many of the same malicious tools, which are bought for relatively little money on dark net forums.

Most recently, Magecart-associated groups has been suspected in attacks against shoe manufacturer Fila as well as the bedding sites and, according to an earlier analysis by security firm Group-IB and RiskIQ.

Other suspected victims of Magecart-style attacks include British Airways, Ticketmaster and Newegg.

Earlier this week, Britain's privacy watchdog issued a "notice of intent" that it plans to fine British Airways about $230 million for violating the EU's General Data Protection Regulation. That violation of the law is believed to be tied to the Magecart attack (see: British Airways Faces Record-Setting $230 Million GDPR Fine).

'Spray and Pray'

In this latest attack, the Magecart-associated gang is using what RiskIQ calls a "spray and pray" technique.

By scanning the internet for as many unsecured Amazon S3 buckets as they can find, the cybercriminal gang is attempting to inject the skimmers within as many domains as possible. This is done by looking for JavaScript files. The gang then downloads these files and adds their skimming code to the bottom, while overwriting the script on the bucket, according to RiskIQ.

The one drawback for the attackers is that the malicious JavaScript only works on webpages that contain payment forms using JavaScript, and not every unsecured database houses this type of code, according to RiskIQ. But because there are so many unsecured S3 buckets, if only a small percentage have JavaScript payment forms, they could yield a financial windfall for hackers, Klijnsma says.

What's not yet clear is if the gang is selling its stolen payment card information on dark net forums or using it make fraudulent charges, Klijnsma says.

"We estimate the yield of websites that are producing actual payment data to be very low compared to the number of sites they compromised," Klijnsma says. "We do not have any actual profit amounts on this campaign. However, groups always factor in the opportunity cost before performing campaigns. The sheer volume of websites they accessed probably made the campaign lucrative."

Targeting Amazon Web Services

The RiskIQ research on this latest Magecart attack only focused on Amazon Web Services and the company's cloud-based databases. It's possible that the same group is targeting companies that use the other two big cloud services - Microsoft Azure and Google Cloud Platform - but Klijnsma and his team have not yet seen evidence of that.

One reason why Amazon Web Service is such a tempting target is its sheer size. An analysis by Synergy Research of the top cloud services during the fourth quarter of 2018 found that AWS is larger than its next four closest competitors combined and that it controlled well over 30 percent of the infrastructure-as-a-service market during those three months.

Misconfigured or unsecured Amazon S3 buckets are part of a much larger security issue. In the past two weeks, for example, researchers with UpGuard located an unsecured Amazon database owned by IT services firm Attunity that left at least 1 TB of data, including files from companies such as Netflix, TD Bank and Ford, exposed to the internet (see: UpGuard: Unsecured Amazon S3 Buckets Exposed 1 TB of Data).

In the case of the Attunity-owned database, it's not clear if anyone managed to access the data. And while it's up to Amazon's customers to secure these cloud-based databases, the Magecart attacks show what a daunting task this can turn into, even with AWS' help in trying to locate customers who have been breached.

"While it is up to the customers to configure their S3 buckets, our partnering with Amazon is mostly for remediation outreach as these are their customers," Klijnsma says. "For us to reach out to every organization in the list is nearly impossible."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.