3rd Party Risk Management , Cloud Security , Cybercrime as-a-service

Unsecured AWS S3 Buckets Infected With Skimmer Code

Analysts Find Fresh Magecart Code and Redirectors to Malvertising Campaign
Unsecured AWS S3 Buckets Infected With Skimmer Code

Cybercriminals are continuing to take advantage of unsecured Amazon Web Services Simple Storage Service cloud storage buckets, with RiskIQ researchers recently finding malicious card skimming code and redirects to a long-running malvertising campaign infecting several websites.

See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

The malicious skimming code appears to belong to Magecart, which is the umbrella name for a group of cybercriminal gangs that have been planting JavaScript skimmers, also known as JavaScript sniffers or JS sniffers, on dozens of e-commerce checkout sites over the past several years in order to steal payment card numbers and other customer data (see: Magecart Group Hits Small Businesses With Updated Skimmer).

On May 12, RiskIQ researchers found the Magecart skimming code on three websites owned by Endeavor Business Media, which hosts content and online forums for firefighters, police and private security professionals, according to the report.

In addition, the analysts found a malicious redirect to a malvertising campaign called Hookads. RiskIQ attempted to contact Endeavor about the code and unsecured S3 buckets, but has not heard back as of this week when the research published.

A spokesperson for Endeavor could not be immediately reached for comment on Thursday.

Over the years, security researchers have warned that threat actors are mass-scanning the internet for misconfigured Amazon S3 buckets in order to plant card skimming and other malicious code to target a wide range of victims.

In July 2019, RiskIQ published a report that Magecart groups are inserting malicious JavaScript into unsecured Amazon S3 buckets. At the time, the researchers identified about 17,000 domains infected with JavaScript skimmers, which could steal payment card data including name, card number, expiration date and CVV information (see: RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets).

"As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative," according to the RiskIQ report published this week.

Magecart Code

The RiskIQ analysts first discovered the card skimming code associated with one Magecart group had been uploaded to AWS S3 buckets belonging to Endeavor Business Media. From there, it was planted on three of the company's websites, according to the report.

The three websites belonging to Endeavor are not effective for deploying this type of skimming code, as there is no payment data on those sites. Instead, the Magecart group seemed to be taking a "shotgun approach," where they place malicious code anywhere and everywhere they can find without regard for whether it is successful, Jordan Herman, a threat researcher at RiskIQ, tells Information Security Media Group.

Malvertising Campaign

In addition to the card skimming code, RiskIQ found a malicious redirector called "jqueryapi1oad," which has been previously found within unsecured or misconfigured cloud storage buckets. This code is also frequently associated with Magecart attacks, although a direct link has not been established, according to the report.

The RiskIQ analysts have previously found the jqueryapi1oad code associated with 362 malicious domains, according to the report.

"We believe the injection of the jqueryapi1oad malicious redirector on those 362 domains is part of one long-running campaign by an actor focused on traffic distribution," Herman says, adding that redirect sends victims to the Hookads malvertising campaign.

The Hookads campaign was first discovered in 2016 and researchers have connected it to various malicious activities, including tech support and other scams, adware, exploit kits and malware, Herman says.

In the case of misconfigured S3 buckets that may have been infected, Herman notes organizations should clean out the data and deploy new resources, or simply create a new S3 bucket, to prevent threat actors from re-installing this type of malicious code.


About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.