New wave of Magecart attacks targeting Amazon S3 buckets

New wave of Magecart attacks targeting Amazon S3 buckets

Hackers stealing data from Amazon data stores is nothing new — around 24 million loan records were exposed at the beginning of this year due to a misconfigured S3 bucket leaving customers data at risk. But recent movements within the world of Magecart attacks have taken another serious turn as the focus has shifted to leveraging these misconfigurations to aid in the stealing of credit card numbers and other personal data.

Magecart and other skimming attacks have far reaching consequences from data theft and fraud to massive fines as a result of GDPR violations. While Magecart attacks focus on injecting malicious JavaScript into a website, either directly into the website code, or through a third-party script, this new approach of attacking Amazon data buckets could dramatically escalate both the frequency and target audience of attacks.

The truth about formjackingRelated Blog

Spray and pray attacks

As noticed by RiskIQ, the organization who initially published the research around these attacks, the latest attacks seem to differ from regular Magecart attacks with a mass mentality. Typically, Magecart attacks are focused, with the various hacker groups taking time to perform research into the most effective ways of exploiting a website and it’s customer base. Even in the cases where third-party scripts were used as malicious sources, code was crafted in a way that targeted a select group of websites.

In the latest group of attacks, the hackers responsible seem intent on affecting as many websites as possible, as quickly as possible, as opposed to maximizing the effect of the malware. This strategy often ends in quick exposure and remediation, but given the potential breadth of the attack, the current results may suggest the payout is worth it — it’s estimated that over 17 thousand websites have been compromised, with many having a prominent presence.

One possible reason for this shotgun-style approach could be that unlike many third-party vendors, Amazon will no doubt move quickly to alert customers to potential exposure, or even adapt their services to include enhanced security. It may be that hackers judge the attack window to be small and as a result, they have attempted to gain as much traction as quickly as possible.

On-demand webinarWhy security teams need a Magecart planWatch now

For want of a nail

There is a famous proverb For Want of a Nail which describes a situation when something small is missed, that something massive can be lost. Organizations can learn from this message — not just to protect themselves against Magecart and similar skimming attacks, but to bolster their wider security stance in general.

These new attacks highlight that regardless of how much effort goes into writing good code, a simple misconfiguration can leave an organization exposed to security incidents. This very point is why every good security practitioner will highlight why cybersecurity should take a layered approach, with each layer playing its own role of checks and balances.

For example, with Magecart attacks, the key is the browser — this is where the malware does its thing. Magecart attacks utilize JavaScript to skim, or scape, data from pages as the visitor is entering it. When a visitor enters their name and social security number into a loan application page, for example, a Magecart attack would exfiltrate this data at the same time and send it on to the attackers for illicit use.

Organizations should not only look to prevent breaches in their infrastructure, such as adequately protecting their Amazon S3 buckets, but also protecting their application at the browser, where the HTML and JavaScript code is rendered. This way, even in the event of a breach in the datacenter, the malicious JavaScript would have no real impact on the application itself and in turn, the consumer.

How Instart protects against Magecart

Instart Web Skimming Protection allows organizations to implement protection around their sensitive user-data form fields and cookies. Instart's web skimming protection technology works by implementing a filter at the code level which can prevent third-party JavaScript from reading data unless it comes from white-listed locations.

Website owners are able to implement policies, in essence limiting document access so as to help avoid the impact of Magecart attacks such a remote script provider become compromised. Policies can specify that only first-party scripts created specifically by the website developers can access fields containing personal information, whereas any third-party content is restricted.

Learn more about how Instart security services can help you prevent Magecart attacksRequest a demo