If you’re up on the latest in cybersecurity, you’ve heard of Magecart, a sort of cybercrime “group of groups” that digitally skims credit card data from compromised ecommerce sites. Widely publicized breaches from companies like British Airways, Newegg, and Ticketmaster are considered to be the work of Magecart, which remains at large, although security researchers are working hard to learn more about the cybercriminals. For instance, RiskIQ, an attack surface management solution provider, published a joint Magecart-focused report at the end of last year that profiled the groups (there are at least seven of them, according to RiskIQ), as well as their common tactics and their typical targets.

The latest Magecart campaign, which affects Amazon S3 (Simple Storage Service), an object storage service from AWS (Amazon Web Services), began in April this year and is ongoing, RiskIQ researchers say. The cybercriminals behind this campaign are automatically scanning for misconfigured S3 buckets that allow anyone to view and edit files within, then downloading any JavaScript files and adding malicious skimming code to the file(s). RiskIQ’s data suggests that to-date Magecart threat actors have impacted more than 17,000 domains using this tactic—possibly many more.

This particular campaign acts like a scattershot, blasting out a ton of skimmers and seeing what sticks. This approach makes it different than other, more targeted Magecart campaigns of the past, because the skimmer code can only accomplish its goal on ecommerce sites and, more specifically, on pages where customers enter their payment details. Therefore, most of the code added to JavaScript files in misconfigured S3 buckets will fail to return any credit card data. However, security researchers say because misconfigured S3 buckets seem relatively easy to find, the scattershot approach is likely still going to turn a massive profit for the criminals behind this effort.

In May, Amazon updated its support page dedicated to securing Amazon S3 buckets and objects. The company advises customers to follow the principle of least privilege, granting only the permissions necessary to complete a task and nothing more. It provides instructions for restricting access to S3 buckets and objects and outlines best practices for securing resources, including encouraging customers to continuously monitor their resources and the actions being taken on them (and providing instructions for doing so).

As usual, education and awareness are necessary to stop this Magecart campaign from affecting more S3 buckets and domains. For AWS customers using S3, this means learning about the campaign and following Amazon’s best practices for protecting their digital assets to a T. If your organization discovers a compromised bucket, the moment of discovery is the moment to act. RiskIQ suggests the following steps: figure out what happened and compile a high-level incident description; investigate how the incident happened by checking logs and file modification timestamps; and, finally, determine the breach’s impact. After taking these steps, it’s time to mitigate the issue at hand and take precautions to ensure it won’t happen again. For the current Magecart campaign, the easiest way to prevent another similar breach in the future is to reign in access control and provide write permissions only to approved users.

Want to tweet about this article? Use hashtags #M2M #IoT #5G #AI #artificialintelligence #machinelearning #bigdata #digitaltransformation #cybersecurity #blockchain #security #Magecart #cybercrime #skimming #data #enterprisesecurity #internetsecurity