Analysts Find Fresh Magecart Code and Redirectors to Malvertising Campaign.
Malicious card skimming code discovered by RiskIQ suggests that cybercriminals are taking advantage of unsecured Amazon Web Devices Simple Storage Service cloud storage buckets.
There seems to be a link between the malicious code and a cybercriminal group collectively known as Magecart. Magecart has stolen customer details, like card numbers over the past years; and by deploying JavaScript skimmers alias JavaScript sniffers or JS sniffers on eCommerce sites.
RiskIQ researchers found the Magecart skimming code on three websites owned by Endeavour Business Media.
Endeavor Business Media is a website that hosts online forums for firefighters, police, and private security professionals. Researchers also found a malicious redirect to a malvertising campaign called Hookads.
Attempts to get in touch with Endeavour have been futile up to this date. “In July 2019, RiskIQ published a report that Magecart groups are inserting malicious JavaScript into unsecured Amazon S3 buckets. At the time, the researchers identified 17,000 domains infected with JavaScript skimmers; which could steal payment card data, including name, card number, expiration date, and CVV information.”
A threat researcher at RiskIQ told Information Security Group, “the three websites belonging to Endeavor are not effective for deploying this type of skimming code, as there is no payment data on those sites. Instead, the Magecart group seemed to be taking a “shotgun approach”; where they place malicious code anywhere and everywhere they can find without regard for success.”
RiskIQ reports read, “as attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative.”
Over the years, security researchers have warned that threat actors are mass-scanning the internet for misconfigured Amazon S3 buckets to plant card skimming and other malicious code to target a wide range of victims.
Malicious campaign
The researchers didn’t find only the skimming codes. A malicious redirector called “jqueryapi1oad” found is believed to be associated with the Magecart.
According to the report, the RiskIQ analysts have previously found the jqueryapi1oad code associated with 362 malicious domains. “We believe the injection of the jqueryapi1oad malicious redirector on those 362 domains is part of one long-running campaign by an actor focused on traffic distribution; the redirect sends victims to the Hookads malvertising campaign.”
Herman said that the Hookads malicious campaign was initially discovered in 2016; and has been linked to several other malicious activities like scam adware, exploit kits, tech support, etc.
On the way forward, RiskIQ has advised organizations affected by the misconfigured S3 buckets to clean out the data and deploy new resources, or create a new S3 bucket, to prevent threat actors from re-installing this type of malicious code.
