New MageCart attacks compromised over 17,000 sites

RiskIQ experts reported a new round of MageCart attacks. Criminals changed tactics and automated attacks.

Now they are looking for badly tuned S3 buckets, infecting any sites and javascript files that they can reach.

“The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them”, — report RiskIQ specialists.

It may be strange, but, according to researchers, this tactic is justified. Since April 2019, attackers have compromised more than 17,000 domains by posting JavaScript skimmers on these sites. It is noted that some of these resources are included in Alexa Top-2000.

Although hackers often infect sites that are not at all shops and even have no payment pages, experts argue that by focusing on the number of attacks, the attackers ultimately did not lose and managed to implement skimmers on a sufficient number of payment pages, which allows attacks to remain profitable.

Read also: Magento fixed bugs that allowed taking control of the web store

It is reported that among the victims were such companies as Picreel, Alpaca Forms, AppLixir, RYVIU, OmniKick, eGain and AdMaxim. Since these companies provide services to other sites, the infection of several JS-files has led to the fact that malware has spread to thousands of other resources.

Researchers write that behind this campaign there is a relatively new criminal group operating with the purchased Inter Skimmer Kit skimmer (sold on the black market for over a year and used by several groups).

In general, according to RiskIQ, the threshold for entry into this “business” remains very low, which is why web-based skimming is increasing.

Currently, the situation has changed slightly, and hack groups can be divided into four categories:

  1. “professional” high level groups. They use web skimming as one of the tools in their arsenal, but this is not their main goal (a good example is Group 6, the group that compromised British Airways);
  2. Groups that focus only on skimming simply improve their skills and attack methods (Groups 3 and 4);
  3. many small groups of the lower level. They buy tools from other intruders and eventually operate on solutions like the Inter Skimmer Kit;
  4. occasional self-written skimmers that give a very small “yield” and appear only from time to time.
Exit mobile version