Magecart hackers infect over 17,000 web domains

Security researchers believe the scale of Magecart compromise is far larger than previously thought

More than 17,000 websites have been infected with skimmer code by Magecart payment-system hackers, according to security researchers.

In May, RiskIQ discovered yet-another mass compromise of third-party ecommerce sites by a Magecart group. At the time, its report claimed that several thousand websites were infected.

But RiskIQ has since said the "actual scale of this campaign and the number of sites affected is much larger than previously reported".

In a blog post, threat researcher Yonathan Klijnsma explains that the "actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets".

He said: "These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them".

Despite already infecting thousands of websites with their Javascript skimmer code, the hackers favour reach over targeting.

To do this, they have developed a 'shotgun' approach that casts their net as wide as possible. But Klijnsma explained that "many of the compromised scripts do not load on payment pages".

He continued: "However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment."

Klijnsma said that the "widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets".

He added that "without greater awareness and an increased effort to implement the security controls needed to protect the content stored in these buckets from theft or alteration by malicious attackers, there will be more - and more impactful - attacks using techniques similar to the ones outlined".

RiskIQ claims that it has been "monitoring the compromise since the start of the beginning of the campaign" and is currently "working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as they are observed".

The news comes in the same week that the ICO announced its intention to fine British Airways £183 million under GDPR over a Magecart attack last year.

Magecart does not refer to a specific hacking group or a particular flaw. Rather, it refers to a range of techniques typically used by a small group of attackers, believed to be based in Russia, that target ecommerce sites' payments pages.

Taking advantage of security flaws in ecommerce software, such as Magento, they inject malicious Javascript onto payments pages that is able to skim credit card and personal details when someone purchases goods or services online.

The same group behind the British Airways attack are also believed to have been behind a similar attack on Ticketmaster earlier last year - fortunately for Ticketmaster, an attack carried out before the implementation of GDPR.

See also: Top-Ten Magecart victims (that we know of)