Hackers from the ever-evolving digital world are continuously leveraging misconfigured AWS S3 data storage buckets so they can slip malignant code into various websites, with the goal of stealing credit card details and conducting malvertising campaigns.
Earlier this year researchers discovered 3 such sites, owned by a certain media house hosting JavaScript skimming code. Embraced by this classic method by an association of various hacker groups called Megacart, that targets online shopping cart systems. These three affected websites held content related to the emergency services provided by law enforcement, security professionals, and firefighters.
Operators of Megacart secretly insert JavaScript code into a compromised website, which usually happens to be the payment page to steal the customers card details, which is later on transferred to a remote server controlled by the hacker. This virtual credit card skimming attack is called as FormJacking.
History of the misconfigured S3 buckets
Last year in July, a similar campaign was executed by Megacart by exploiting AWS insecure S3 buckets to feed virtual credit card skimmers on 17,000 domains. While in April 2019, a malvertising campaign was deployed with a malicious script called “jqueryapi1oad” that went on to impact 277 unique hosts. Misconfigured S3 buckets were used by the threat actors behind this code.
A Colombian soccer website that features in the top 30,000 of global Alexa rankings also had a misconfigured AWS S3 storage bucket.
The Megacart MO
Earlier this year, a blender company called Nurtibullet suffered a Megacart attack but it was only a few weeks later that they discovered the JavaScript skimmer that was placed within their website. In order to ensure that the skimmer is placed on the payment page, a certain resource called jQuery JavaScript library was targeted by Megacart, a resource every page on the site uses.
In another instance, a credit card scammer was found embedded within the website of Tupperware, which is a food storage company. To insert the malicious module, Megacart attackers exploited vulnerabilities in the website which siphoned credit card details as shoppers filled the forms to complete transactions.
For quite some time now threat actors have been exploiting the misconfigured S3 buckets to insert their code in multiple websites. According to our security experts, to assuage such threats organizations need to follow a few steps, they need to secure their S3 buckets as well as their Access Control List (ACL) along with their bucket policies to allow public requests or other AWS accounts. In another alternative move, they should also employ a vulnerability management suite to weed out the existing vulnerabilities so no threat actors could exploit them in order to access the organization’s networks.
To read more, please check eScan Blog
