Unsecured AWS S3 Buckets Infected With Skimmer CodeAnalysts Find Fresh Magecart Code and Redirectors to Malvertising Campaign
Cybercriminals are continuing to take advantage of unsecured Amazon Web Services Simple Storage Service cloud storage buckets, with RiskIQ researchers recently finding malicious card skimming code and redirects to a long-running malvertising campaign infecting several websites.
On May 12, RiskIQ researchers found the Magecart skimming code on three websites owned by Endeavor Business Media, which hosts content and online forums for firefighters, police and private security professionals, according to the report.
In addition, the analysts found a malicious redirect to a malvertising campaign called Hookads. RiskIQ attempted to contact Endeavor about the code and unsecured S3 buckets, but has not heard back as of this week when the research published.
A spokesperson for Endeavor could not be immediately reached for comment on Thursday.
Over the years, security researchers have warned that threat actors are mass-scanning the internet for misconfigured Amazon S3 buckets in order to plant card skimming and other malicious code to target a wide range of victims.
"As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative," according to the RiskIQ report published this week.
The RiskIQ analysts first discovered the card skimming code associated with one Magecart group had been uploaded to AWS S3 buckets belonging to Endeavor Business Media. From there, it was planted on three of the company's websites, according to the report.
The three websites belonging to Endeavor are not effective for deploying this type of skimming code, as there is no payment data on those sites. Instead, the Magecart group seemed to be taking a "shotgun approach," where they place malicious code anywhere and everywhere they can find without regard for whether it is successful, Jordan Herman, a threat researcher at RiskIQ, tells Information Security Media Group.
In addition to the card skimming code, RiskIQ found a malicious redirector called "jqueryapi1oad," which has been previously found within unsecured or misconfigured cloud storage buckets. This code is also frequently associated with Magecart attacks, although a direct link has not been established, according to the report.
The RiskIQ analysts have previously found the jqueryapi1oad code associated with 362 malicious domains, according to the report.
"We believe the injection of the jqueryapi1oad malicious redirector on those 362 domains is part of one long-running campaign by an actor focused on traffic distribution," Herman says, adding that redirect sends victims to the Hookads malvertising campaign.
The Hookads campaign was first discovered in 2016 and researchers have connected it to various malicious activities, including tech support and other scams, adware, exploit kits and malware, Herman says.
In the case of misconfigured S3 buckets that may have been infected, Herman notes organizations should clean out the data and deploy new resources, or simply create a new S3 bucket, to prevent threat actors from re-installing this type of malicious code.