The researchers, who tracked and exposed attacks by the Magecart gang against businesses such as Ticketmaster, British Airways and Newegg, believe the latest campaign began in April 2019. They have been working with Amazon and affected parties to address the injections and misconfigured S3 cloud storage instances as they observe them.
According to the report, those behind the attack automated the process of simultaneously compromising more than 17,000 domains with skimmers by actively scanning for misconfigured Amazon S3 buckets that can be accessed for reading and writing content by anyone with an Amazon Web Services account.
This attack introduces yet another method by Magecart that RiskIQ researchers call a “spray and pray” approach. Because skimmers work only when placed on payment or checkout pages, most Magecart attacks target specific e-commerce sites and attempt to drop a skimmer only on pages with payment forms.
However, the ease of compromise that comes from finding S3 buckets misconfigured to allow public access means that even if only a fraction of their skimmer injections return payment data, it will yield a substantial return on investment, the researchers said.
“This is a brand new twist on Magecart,” said Yonathan Klijnsma, head threat researcher at RiskIQ. “Although this group chose reach over targeting, they likely ended up getting their skimmer on enough payment pages to make their attack lucrative. They have done their cost-benefit analysis.”
The scale of this latest attack illustrates how easy it is for threat actors of any kind to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets. RiskIQ researchers said that without greater awareness and an increased effort to implement the security controls needed, there will be more attacks using similar techniques.
The gravity of the Magecart threat is underlined by the fact that British Airways is facing a £183m General Data Protection Regulation (GDPR) fine in connection with a data breach due to a Magecart attack that the RiskIQ researchers exposed.
Read more about Magecart
- Security researchers have uncovered a sub-group of the Magecart hacking group, highlighting the wider risks of web-based supply chain attacks.
- Ticketmaster breach: How did this card skimming attack work?
- British Airways data breach may be the work of Magecart.
- British Airways data breach: Security researchers name suspects and query attack timeline.
“The proposed £183m fine against British Airways for the breach of its website by Magecart represents 1.5% of its 2017 revenues, which is astronomically larger than any pre-GDPR fine,” said RiskIQ CEO Lou Manousos.
“With the recent explosion of web- and browser-based threats, this precedent should have organisations re-evaluating their current security strategy for dealing with threats beyond the firewall.”
Klijnsma said in a blog post that if anyone alters the default behaviour of an S3 bucket and requires public access, it is vital to set up proper access control.
“Access control for S3 buckets comes in different layers and options, from Amazon’s IAM [identity and access management] policies, specific bucket policies, or general access control policies,” he wrote. “These various policies can be overlayed and stacked depending on the bucket and how you want to set it up.”
RiskIQ recommends these three “crucial steps” for access control to any S3 bucket:
- Whitelist: Every administrator should very carefully monitor these controls and apply the concept of whitelisting rather than blacklisting. Only give access permissions to the processes or individuals that absolutely need them. Review this list periodically to disable unwanted and unneeded access.
- Limit those with write permissions: Never give write permissions to everyone. The cause of the thousands of Magecart compromises now being observed from S3 buckets is administrators setting the access control to allow anyone to write content to buckets.
- Block access: Account administrators can also block public access to prevent anyone in their account from opening a bucket to the public, regardless of S3 bucket policy.
The researchers also recommend that users of S3 buckets read Amazon’s general guide of items to check on for maintaining a secure S3 bucket setup.