RiskIQ Uncovers Magecart Campaign Breaches Websites En Masse Via “Spray and Pray Method” Involving Misconfigured Amazon S3 Buckets
July 11, 2019
SAN FRANCISCO – July 11th, 2019 – RiskIQ, the global leader in attack surface management, today published research uncovering a new campaign by the credit card skimming crime syndicate Magecart. RiskIQ has monitored the compromise of S3 buckets since the campaign began in April 2019. The company has been working with Amazon and affected parties to address the injections and misconfigured S3 instances as they observe them.
According to the report, the actors behind the attack have automated the process of simultaneously compromising over 17,000 domains with skimmers by actively scanning for misconfigured Amazon S3 buckets. Because these buckets are misconfigured, they are unsecure and anyone with an Amazon Web Services account can read or write content to them.
This attack introduces yet another method by Magecart that RiskIQ researchers call a “spray and pray” approach. Because skimmers only work when placed on payment/checkout pages, most Magecart attacks target specific e-commerce sites and attempt to drop a skimmer only on pages with payment forms. However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will yield a substantial return on investment.
“This is a brand new twist on Magecart,” said Yonathan Klijnsma, Head Threat Researcher at RiskIQ. “Although this group chose reach over targeting, they likely ended up getting their skimmer on enough payment pages to make their attack lucrative. They've done their cost-benefit analysis.”
The scale of this attack illustrates how easy it is for threat actors of any kind to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets. RiskIQ researchers stress that without greater awareness and an increased effort to implement security controls needed, there will be more attacks using techniques similar to the ones outlined in this blog.
Adding to the gravity of the Magecart threat, the S3 bucket method comes to light as the first post-GDPR fine was imposed against British Airways for the Magecart breach of its website, which RiskIQ also exposed. The proposed amount of £183m represents 1.5% of BA's 2017 revenues and dwarfs the largest pre-GDPR fine levied by the UK's Information Commissioner's Office (ICO) of £500,000.
“The proposed £183m fine against British Airways for the breach of its website by Magecart represents 1.5% of its 2017 revenues, which is astronomically larger than any pre-GDPR fine,” said Lou Manousos, RiskIQ CEO. “With the recent explosion of web and browser-based threats, this precedent should have organizations re-evaluating their current security strategy for dealing with threats beyond the firewall.”
Read the blog for a full list of IOCs as well as guidance on how to best protect your Amazon S3 buckets: https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets
RiskIQ is the global leader in attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social, and mobile exposures. Trusted by thousands of security analysts, security teams, and CISOs, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action. Its software protects businesses, brands, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures.
© 2019 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.
Front Lines Media