Thousands of sites fall to Magecart ‘spray and pray’ attack


Connor Jones

12 Jul, 2019

More than 17,000 domains have been compromised in an attack launched by the prolific hacking group Magecart, according to attack surface management firm RiskIQ.

The attack preys upon websites with leaky Amazon S3 buckets, an attack method seen all too often despite them now being protected by default. The researchers said that anyone with an AWS account could read or write files in the affected buckets.

The attackers scanned the web for misconfigured buckets to see if they had any Javascript files they could download and add their skimming code, overwriting the script on the bucket.

Magecart was trying to run scripts on websites to glean and make off with payment information that can then be sold on for profit. It wasn’t just smaller websites affected by the attack, some of the 17,000+ compromised websites fell into the top 2,000 Alex rankings.

The problem with the attacker’s methodology is this type of skimming attacks rarely works on payment pages of websites, which makes the chance of a successful attack low compared to a more considered, targeted approach.

But the Magecart group could still enjoy “a substantial return on investment” due to the range of the attack. “The ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it,” said Yonathan Klijnsma, threat researcher at RiskIQ, in a blog post.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets,” he added. “Without greater awareness and an increased effort to implement the security controls needed to protect the content stored in these buckets from theft or alteration by malicious attackers, there will be more – and more impactful – attacks using techniques similar to the ones outlined in this blog.”

Exploiting misconfigured Amazon S3 buckets is a common attack method used time and again by opportunistic cyber criminals.

Earlier in the year, Facebook apps Cultura Collectiva and At the Pool became victims of a similar attack, with the cyber criminals making off with 540 million records, including users’ names, IDs and comments made through Facebook’s social integration.

“Like any other security procedure, security policies are a good mechanism for protecting the access to your S3 Bucket, but it needs to be used the right way,” said Boris Cipot, senior security engineer at Synopsys. “It has to be understood, and the user needs to know what they are doing when applying those policies to their buckets.

“Unfortunately, misconfigured policies then can lead to examples like those where the attacker can identify buckets with those misconfigured policies and modify the content on them,” he added. “Every user should have a good understanding of what they’re doing, but if this is not possible, leave it to professionals that know how to handle security.

“On the other hand it would be nice to see if Amazon could make a policy screening functionality were they could identify such misconfigured policies and warn the user – or in some cases even forbid the usage of loose policies.”

Other notable examples of devastating attacks made possible by leaky buckets include the leak of data belonging 120 American households by Experian. The NSA, WWE and Accenture also suffered similar attacks.

The future looks bright, however. According to reports, since Amazon enabled encryption for buckets by default, the number of exposed files has plummeted to less than 2,000 whereas the number was in the region of 16 million beforehand.