Posted on July 12, 2019 at 12:51 PM
Magecart is not the name that has gathered too much fame so far, and the chances are that most people never heard of it until right now. However, that does not mean that they did not feel the impact produced by those who work under this name.
Magecart is a set of several highly-sophisticated hacking groups. As such, it has been responsible for some of the largest and most devastating hacking attacks in recent years. They were the ones behind the hack of Ticketmaster, as well as British Airways. Their goal is to steal credit card numbers and misuse them for their own gain.
In a way, what they do can be considered the web version of ATM skimming. Meanwhile, the poor security on the internet has made their job incredibly easy, and within only a few months, the group managed to hit as many as 17,000 different domains.
Their infamous achievements appear to be growing in number, and the new report issued by RiskIQ proves it. According to the threat detection company, Magecart even managed to find a way to scan Amazon’s S3 buckets. These are the company’s cloud repositories that are being used for holding various data that companies and websites tend to require on occasion.
Now, the attackers can scan them and find those that are misconfigured. This misconfiguration often presents itself as the ability for pretty much anyone with Amazon Web Services account to read, write, and alter any type of content. Naturally, the group entered a piece of code that allows them to steal credit card numbers from all kinds of e-commerce websites.
As for when, RiskIQ seems to believe that the hack may have happened in early April — at least, that is as far back as they managed to track it. They started looking into the possibility after noticing that a number of internet supply chain firms was compromised in May. However, the attacks were not performed in a way typical for Magecart. Instead, they seemed to be performed through a technique that researchers have named ‘spray and pray.’
Basically, the hackers were casting the widest net they could create, hoping to catch something. In practice, they were altering codes of countless websites, even those that had no connection to e-commerce. It was a large-scale attack, with no specific targets in mind. In fact, RiskIQ researcher Yonathan Klijnsma says that the attack is still ongoing.
Who is affected?
Now, the first question on people’s minds is whether or not they are affected. The answer is quite complicated, and the easy answer is that there are 17,000 infected domains, with their number continuously growing. Some of them, according to RiskIQ, can even be found among the world’s 2,000 biggest websites.
However, many of them do not process credit card transactions at all. And, if they don’t, there is no real harm that infecting their site can do. Further, researchers have yet to determine how many S3 buckets were hit. In other words, there is no way to know how many people were affected, or if anyone tried to pay for something on one of the infected sites before the attack is resolved.
However, as things are now, resolving the situation might take quite some time. RiskIQ and Amazon are currently working together to alert administrators of the exposure and potential danger for them and their customers. However, 17,000 domains are no small number, and notifying them all takes time. It will take even longer for everyone affected to make changes that would make the sites secure once more.
What can be done about it?
Clearly, there will be quite a few issues before the situation is handled, but the biggest problem is the method that the attackers used. It goes without saying that Amazon’s S3 buckets are quite secure, and firms often run into difficulties when they have to change permissions. Misconfigurations such as the ones that are detected now caused problems in the past as well, and even if only read permission was given to interlopers; there could be a lot of trouble.
With the ability to write code in, there is no telling what kind of problems there could still be lying beneath the surface. Researchers have called it a whole new level of misconfiguring, which could have major consequences. Luckily, the Magecart hackers are “only” after credit card numbers. However, while this might seem bad, it is probably the best anyone could have hoped for, as there are countless groups out there who would think bigger and aim to cause as much chaos as possible.
Another positive thing is that Amazon has created special tools that would help its cloud customers forestall attacks such as this. There is a simple block-public-access option that only requires a single click. With it, the problem would go away, but it is not that simple, as thousands of domains have not locked their infrastructure, and could suffer serious consequences.