View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
July 11, 2019

Magecart Launches “Spray and Pray” Attacks on AWS S3 Buckets, Hits 17,000

Pro tip: whitelist, don't blacklist; limit write permissions; simply block public access...

By CBR Staff Writer

Hackers are exploiting badly configured Amazon Web Services (AWS) S3 buckets en masse, bulk-scanning for JavaScript files (files ending in .js) then adding credit card skimming code and overwriting the script on the bucket.

The “spray and pray” attacks have helped the attackers compromise over 17,000 domains, attack surface management RiskIQ said today, adding that although only a fraction of the skimmer injections returns payment data, the scale of the attacks means they likely still yield a substantial return on investment.

Magecart AWS Attacks Hit Low-Hanging Fruit

The attacks are only possible on gaping open “world read/write” AWS buckets: a configuration setting for anyone hosting payments services files that would require an unhealthily – but clearly not unusually – cavalier approach to security.

(There are now a eye-watering 2.3 billion files exposed online, owing to the misconfiguration of commonly used file storage technologies, according to digital risk specialist Digital Shadows, including 98 million in the UK alone).

“This is a brand new twist on Magecart,” said Yonathan Klijnsma, head threat researcher at RiskIQ. “Although this group chose reach over targeting, they likely ended up getting their skimmer on enough payment pages to make their attack lucrative. They’ve done their cost-benefit analysis.”

The report comes days after security researchers said an automated card skimming attack had resulted in the theft of payment data from 962 websites in just 24 hours. It now appears plausible that this was a jackpot hit on an exposed cloud bucket.

Read this: Card Details Stolen from 962 Websites in 24-Hours Magecart Spree

The report by San Francisco-based RiskIQ, which has closely tracked Magecart activities, comes a month after McAfee found that over five percent of all AWS S3 storage buckets are set to a ‘world read’ permissions configuration: “Enterprise organizations [also] have at least one AWS S3 bucket set with ‘open write’ permissions, giving anyone in the world access to inject their own data into our environments.”

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

“Not only that, but most organizations access 25 of these ‘open write’ buckets from their corporate network, most often through a third party (take the case of someone reading a news site where the content being streamed comes from an S3 bucket mistakenly misconfigured to be open write’). Open write is like a free-for-all to anyone trying compromise our organisations”, McAfee warned.

RiskIQ suggests a simple three-step checklist for all cloud storage users.

1: Whitelist

“Every administrator should very carefully monitor these controls and apply the concept of whitelisting rather than blacklisting, i.e., instead of listing who shouldn’t have access (a lot of people), list who should have access (a few people). Only give access permissions to the processes or individuals who absolutely need them. Review this list periodically to disable unwanted and unneeded access.

2: Limit Those with Write Permissions

“Never give write permissions to everyone. The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets. Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.

3: Block Access:

Account administrators can also block public access to prevent anyone in their account from opening a bucket to the public regardless of S3 bucket policy.

AWS, which tightened its out-of-the-box security settings last year, also has a guide to maintaining a secure S3 bucket setup here

Read this: Colossal 2.3 Billion Files Now Exposed Online


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.