This article is more than 1 year old

When did you last check your AWS S3 security? Here's four scary words: 17k Magecart infections

Card-slurping malware hits thousands upon thousands of unprotected cloud storage silos

If you're in charge of your organization's Amazon Web Services S3 buckets, here's some fresh motivation to check your security settings: the notorious payment-card-stealing Magecart malware is romping through unprotected storage silos.

Infosec detectives at San Francisco-based RiskIQ reported this week that as many as 17,000 websites have been seeded with the software nasty, after the storage buckets hosting the sites were accidentally left open with public write access enabled.

These misconfigurations were exploited by miscreants to sneak the crimeware into webpages, where it would siphon off people's bank card details as they typed them into payment pages and pass the details back to its masterminds.

According to RiskIQ, since April the Magecart operators have been using Shodan or a similar scanning tool to automatically hunt for open S3 buckets on the public internet that would allow anyone to view and edit files.

"Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js)," said RiskIQ's Yonathan Klijnsma his summary report. "They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."


The crooks hope that some of those Magecart-infected JavaScript files are then used by webpages that handle payment cards – thinking online ordering and subscription checkout pages. The Magecart code, when loaded by a webpage, quietly waits for card details to be typed in, and then covertly harvests that sensitive information and fires them back to fraudsters.

Obviously, this technique is not very precise, and the success rate is low, but since the process can be automated, the costs of mass attacks are also low.

"Although the attackers have had lots of success spreading their skimmer code to thousands of websites, they sacrificed targeting in favor of reach," Klijnsma noted.

"The actors used this technique to cast as wide a net as possible, but many of the compromised scripts do not load on payment pages."

Sceptic wears an incredulous expression, scrunches eyes

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage


With so many vulnerable S3 buckets to be had, however, the scattershot approach allows the criminals to get Magecart onto thousands of sites far faster than by probing individual sites.

Fortunately, the problem is easy to solve, provided admins have a full picture and access to all of their firm's S3 buckets. Buckets that contain private information should have public access disabled, and those that do need to be accessible to the open internet should have write permissions strictly limited.

Those that fear their sites may be infected are advised (after doing a thorough investigation and reporting to authorities) to clean out and refill their S3 silos from known clean backups.

"We suggest cleaning out the bucket and performing a new deployment of resources or simply setting up a new bucket," said Klijnsma.

"Customers can also enable versioning on their buckets to roll back objects to a known good version." ®

More about


Send us news

Other stories you might like