July 12, 2019 at
Magecart is not the name that has gathered too
much fame so far, and the chances are that most people never heard of it until
right now. However, that does not mean that they did not feel the impact
produced by those who work under this name.
Magecart is a set of several highly-sophisticated hacking groups. As such, it has been responsible for some of the largest and most devastating hacking attacks in recent years. They were the ones behind the hack of Ticketmaster, as well as British Airways. Their goal is to steal credit card numbers and misuse them for their own gain.
In a way, what they do can be considered the
web version of ATM skimming. Meanwhile, the poor security on the internet has
made their job incredibly easy, and within only a few months, the group managed
to hit as many as 17,000 different domains.
Their infamous achievements appear to be
growing in number, and the new report issued by RiskIQ proves it. According to
the threat detection company, Magecart even managed to find a way to scan
Amazon’s S3 buckets. These are the company’s cloud repositories that are being
used for holding various data that companies and websites tend to require on
Now, the attackers can scan them and find those that are misconfigured. This misconfiguration often presents itself as the ability for pretty much anyone with Amazon Web Services account to read, write, and alter any type of content. Naturally, the group entered a piece of code that allows them to steal credit card numbers from all kinds of e-commerce websites.
As for when, RiskIQ seems to believe that the
hack may have happened in early April — at least, that is as far back as they
managed to track it. They started looking into the possibility after noticing
that a number of internet supply chain firms was compromised in May. However,
the attacks were not performed in a way typical for Magecart. Instead, they
seemed to be performed through a technique that researchers have named ‘spray
Basically, the hackers were casting the widest
net they could create, hoping to catch something. In practice, they were
altering codes of countless websites, even those that had no connection to
e-commerce. It was a large-scale attack, with no specific targets in mind. In
fact, RiskIQ researcher Yonathan Klijnsma says that the attack is still
Hackers are scanning for misconfigured S3
Then, they insert their own malware into the file, overwrite the script, and
Who is affected?
Now, the first question on people’s minds is
whether or not they are affected. The answer is quite complicated, and the easy
answer is that there are 17,000 infected domains, with their number
continuously growing. Some of them, according to RiskIQ, can even be found
among the world’s 2,000 biggest websites.
However, many of them do not process credit
card transactions at all. And, if they don’t, there is no real harm that
infecting their site can do. Further, researchers have yet to determine how
many S3 buckets were hit. In other words, there is no way to know how many
people were affected, or if anyone tried to pay for something on one of the
infected sites before the attack is resolved.
However, as things are now, resolving the situation might take quite some time. RiskIQ and Amazon are currently working together to alert administrators of the exposure and potential danger for them and their customers. However, 17,000 domains are no small number, and notifying them all takes time. It will take even longer for everyone affected to make changes that would make the sites secure once more.
What can be done about it?
Clearly, there will be quite a few issues
before the situation is handled, but the biggest problem is the method that the
attackers used. It goes without saying that Amazon’s S3 buckets are quite
secure, and firms often run into difficulties when they have to change
permissions. Misconfigurations such as the ones that are detected now caused
problems in the past as well, and even if only read permission was given to
interlopers; there could be a lot of trouble.
With the ability to write code in, there is no
telling what kind of problems there could still be lying beneath the surface.
Researchers have called it a whole new level of misconfiguring, which could
have major consequences. Luckily, the Magecart hackers are “only”
after credit card numbers. However, while this might seem bad, it is probably
the best anyone could have hoped for, as there are countless groups out there
who would think bigger and aim to cause as much chaos as possible.
Another positive thing is that Amazon has created special tools that would help its cloud customers forestall attacks such as this. There is a simple block-public-access option that only requires a single click. With it, the problem would go away, but it is not that simple, as thousands of domains have not locked their infrastructure, and could suffer serious consequences.