RiskIQ: Magecart Group Targeting Unsecured AWS S3 BucketsResearchers Find Skimmers Designed to Skim Payment Data in 17,000 Domains
Once a gang finds a misconfigured Amazon S3 bucket without proper password protection and authentication, it can read or write content to them without much difficulty, according to RiskIQ.
In addition, this particular group is going beyond targeting e-commerce and other online shopping sites. The RiskIQ analysis found that many of the unsecured S3 buckets belonged to companies listed in the Alexa Top 2000 list of popular websites.
RiskIQ is working with Amazon Web Services in an attempt to contact the owners of these unsecured databases to help secure the buckets and remove the malicious code, says Yonathan Klijnsma, a threat researcher at RiskIQ who’s been tracking Magecart and skimmer attacks over the last several months.
"The approach is broad, and unlike past Magecart attacks, there is no filtering to e-commerce only, so the impact could have been so much bigger than just an e-commerce skimming breach," Klijnsma tells Information Security Media Group. "We've seen the skimmers end up on very popular websites but not on a payment page, which means it did not skim any data.”
Tracking Magecart Groups
Klijnsma calls the new gang that RiskIQ discovered "Magecart Group 13." But he says there are likely more than 13 gangs operating under the same umbrella and using many of the same malicious tools, which are bought for relatively little money on dark net forums.
Most recently, Magecart-associated groups has been suspected in attacks against shoe manufacturer Fila as well as the bedding sites Mypillow.com and Amerisleep.com, according to an earlier analysis by security firm Group-IB and RiskIQ.
Other suspected victims of Magecart-style attacks include British Airways, Ticketmaster and Newegg.
Earlier this week, Britain's privacy watchdog issued a "notice of intent" that it plans to fine British Airways about $230 million for violating the EU's General Data Protection Regulation. That violation of the law is believed to be tied to the Magecart attack (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
'Spray and Pray'
In this latest attack, the Magecart-associated gang is using what RiskIQ calls a "spray and pray" technique.
What's not yet clear is if the gang is selling its stolen payment card information on dark net forums or using it make fraudulent charges, Klijnsma says.
"We estimate the yield of websites that are producing actual payment data to be very low compared to the number of sites they compromised," Klijnsma says. "We do not have any actual profit amounts on this campaign. However, groups always factor in the opportunity cost before performing campaigns. The sheer volume of websites they accessed probably made the campaign lucrative."
Targeting Amazon Web Services
The RiskIQ research on this latest Magecart attack only focused on Amazon Web Services and the company's cloud-based databases. It's possible that the same group is targeting companies that use the other two big cloud services - Microsoft Azure and Google Cloud Platform - but Klijnsma and his team have not yet seen evidence of that.
One reason why Amazon Web Service is such a tempting target is its sheer size. An analysis by Synergy Research of the top cloud services during the fourth quarter of 2018 found that AWS is larger than its next four closest competitors combined and that it controlled well over 30 percent of the infrastructure-as-a-service market during those three months.
Misconfigured or unsecured Amazon S3 buckets are part of a much larger security issue. In the past two weeks, for example, researchers with UpGuard located an unsecured Amazon database owned by IT services firm Attunity that left at least 1 TB of data, including files from companies such as Netflix, TD Bank and Ford, exposed to the internet (see: UpGuard: Unsecured Amazon S3 Buckets Exposed 1 TB of Data).
In the case of the Attunity-owned database, it's not clear if anyone managed to access the data. And while it's up to Amazon's customers to secure these cloud-based databases, the Magecart attacks show what a daunting task this can turn into, even with AWS' help in trying to locate customers who have been breached.
"While it is up to the customers to configure their S3 buckets, our partnering with Amazon is mostly for remediation outreach as these are their customers," Klijnsma says. "For us to reach out to every organization in the list is nearly impossible."