You may not recognize the name Magecart, but you’ve seen its impact. A set of sophisticated hacking groups, Magecart has been behind some of the bigger hacks of the past few years, from British Airways to Ticketmaster, all with the singular goal of stealing credit card numbers. Think of them as the ATM skimmers of the web. And thanks to poor security hygiene, they’ve managed to hit 17,000 domains in the past few months alone.
A new report from threat detection firm RiskIQ details how Magecart hackers have found a way to scan Amazon S3 buckets—cloud repositories that hold data and other backend necessities for sites and companies—for any that are misconfigured to allow anyone with an Amazon Web Services account to not just read their contents but write to them, implementing whatever changes they want. Like, say, inserting code that steals credit card numbers from ecommerce sites.
RiskIQ has tracked the activity as far back as early April; it first noticed the technique after seeing several internet supply chain companies get compromised in May. Rather than the typical targeted attacks that Magecart groups had deployed in the past, though, these turned out to be part of a new “spray and pray” technique. The Magecart hackers were casting the widest possible net, altering the code of countless sites that had no ecommerce function at all, in hopes of catching enough sites that do process credit cards to make its efforts worthwhile.
“It’s still ongoing as we’re talking right now,” says RiskIQ threat researcher Yonathan Klijnsma. “All these guys are doing is just en masse trying to find S3 buckets that have been misconfigured. And their skimmers are getting everywhere.”
It’s a more complicated question than it sounds. The easiest answer is: 17,000 domains and counting, including, RiskIQ says, some that are among the 2,000 biggest sites in the world.
But many of those sites don’t process credit card transactions at all, rendering the Magecart code moot. It's also unclear how many actual S3 buckets are affected, since multiple domains can link back to the same one. So the actual answer, the one that matters, sits in the center of the Venn diagram formed by “domains linked to aggressively misconfigured S3 buckets” and “domains that process credit card payments.” Or more to the point, anyone unfortunate enough to pay for something on one of those sites before the attack is resolved.
Which could take awhile. RiskIQ is working with Amazon to alert the affected administrators to their exposure, but wrangling 17,000 domains takes time. As does making the necessary backend adjustments.
How Bad Is This?
The issue of compromised ecommerce sites, however many there actually are, will have obvious ramifications. But the bigger problem stems from the method of attack itself.
Amazon S3 buckets are secure by default. Companies run into trouble when they actively change those permissions, either somewhere in the development process or when they hand off cloud work to a third-party contractor. Those Amazon S3 bucket misconfigurations have caused plenty of problems before. The fallout, though, was usually limited to the exposure of personally identifiable information, huge databases of usernames and passwords and birthdays and Social Security numbers that wind up for sale, or for free, on the dark web and elsewhere. That’s because those goofs typically give read permission to interlopers, but not the ability to write code. The Magecart hackers figured out a way to scan for misconfigurations that do both—and now they know 17,000 vulnerable domains.
“This is a whole new level of misconfiguring,” says Klijnsma. “These buckets are pretty much owned by anybody who talks to it, which is on a different scale, a different type of data leakage. Pretty much anybody can do anything in those S3 buckets, and the reach of those is quite big.”
The Magecart hackers have a singular focus: credit card skimming. But it’s not hard to imagine a group that thinks bigger, or at least with a more anarchical bent. With the same technique, you could append all sorts of malware to the same sites.
Amazon has developed tools to help its cloud customers forestall this type of attack, including an essentially one-click "block public access" option that it rolled out last fall. Tweak that one setting, and this problem goes away. But clearly, demonstrably, thousands of domains still haven’t locked down their infrastructure, with potentially devastating consequences.
“Nobody seems to have noticed this,” says Klijnsma, “and it’s still going on at such an insane rate.”