Case Study: Magecart Executed Attacks On The Amazon S3 Bucket

Magecart, a well-known hacking group was behind some of the highly targeted attacks on websites using web-third-party component; Know why do you need to be on high alert if your website or web app uses web-third-party components

About The Attack

Magecart is a well-known hacking group that had mainly targeted e-commerce websites in the past, especially to steal credit card and other sensitive financial information of the users.

According to a RiskIQ report, the attacker scan for misconfigured Amazon S3 buckets, and once they find one, they start searching for Javascript (.js) files and insert their skimming code in these files. Since the misconfigured Amazon S3 buckets allow for anyone to read and write data, it became effortless for the attackers to inject their malicious code into their files. With the help of the injected malicious code, the attackers were able to log all the card details, that are entered in the payment forms of the websites, and transfer the data outside. It is estimated that more than 17,000 domains have been attacked by Magecart hackers, since the issue was reported in April 2019.

A Third Party Attack?

Companies in the process of auditing their websites for security breaches, don’t take into account third-party tags and codes inserted, but only inspect their in-house developed code. This is where Magecart attackers have been able to gain access into many websites, instead of targeting potential online stores, they started attacking third party services that various e-commerce platform use and injected their skimming code into their JavaScript libraries. This enabled the attackers to reach out to a wide range of websites that used these 3^rd party JavaScript libraries.

Is Amazon Responsible For Magecart Attacks As A CSP
(Cloud Service Provider)?

The breach itself wasn’t because of exploitation of any vulnerability in Amazon S3 buckets, rather by users misconfiguring the buckets, changing permissions, or using some third-party teams to handle their cloud services. Even though the S3 misconfigured buckets issues were spotted before, it was reported that it only allowed read permission into the files present in the S3 bucket. But the Magecart attackers found a way to both read and write in the data.

From our analysis, Amazon S3 is one of the most popular and widely used storage platform, which is also used by many third-party JavaScript library providers. Thus, targeting these providers enabled the hackers to cast a net over thousands of websites and obtain critical credit card information of thousands of customers.

The key to understanding the Magecart attack is that your website and data are no longer safe as businesses are not in control of their website anymore. Gone are the days when they were the ones responsible for their data when it was hosted on their own data centers. But now with the advent of cloud technologies and the growing use of third-parties, too many players are responsible, or in charge of their data. Hence, any mishap can widely expose all their sensitive information to the adversaries.

How Can These Types of Attacks Be Prevented?

Not all the attacks can be prevented but can be made difficult for cyber adversaries to exploit. Since the third-party code is not managed and protected by the company, a continuous monitoring and reporting solution is required to detect changes made by your vendors, a trusted solution an enterprise can rely on.