Pro tip: whitelist, don’t blacklist; limit write permissions; simply block public access…
The “spray and pray” attacks have helped the attackers compromise over 17,000 domains, attack surface management RiskIQ said today, adding that although only a fraction of the skimmer injections returns payment data, the scale of the attacks means they likely still yield a substantial return on investment.
Magecart AWS Attacks Hit Low-Hanging Fruit
The attacks are only possible on gaping open “world read/write” AWS buckets: a configuration setting for anyone hosting payments services files that would require an unhealthily – but clearly not unusually – cavalier approach to security.
(There are now a eye-watering 2.3 billion files exposed online, owing to the misconfiguration of commonly used file storage technologies, according to digital risk specialist Digital Shadows, including 98 million in the UK alone).
“This is a brand new twist on Magecart,” said Yonathan Klijnsma, head threat researcher at RiskIQ. “Although this group chose reach over targeting, they likely ended up getting their skimmer on enough payment pages to make their attack lucrative. They’ve done their cost-benefit analysis.”
The report comes days after security researchers said an automated card skimming attack had resulted in the theft of payment data from 962 websites in just 24 hours. It now appears plausible that this was a jackpot hit on an exposed cloud bucket.
The report by San Francisco-based RiskIQ, which has closely tracked Magecart activities, comes a month after McAfee found that over five percent of all AWS S3 storage buckets are set to a ‘world read’ permissions configuration: “Enterprise organizations [also] have at least one AWS S3 bucket set with ‘open write’ permissions, giving anyone in the world access to inject their own data into our environments.”
“Not only that, but most organizations access 25 of these ‘open write’ buckets from their corporate network, most often through a third party (take the case of someone reading a news site where the content being streamed comes from an S3 bucket mistakenly misconfigured to be open write’). Open write is like a free-for-all to anyone trying compromise our organisations”, McAfee warned.
RiskIQ suggests a simple three-step checklist for all cloud storage users.
“Every administrator should very carefully monitor these controls and apply the concept of whitelisting rather than blacklisting, i.e., instead of listing who shouldn’t have access (a lot of people), list who should have access (a few people). Only give access permissions to the processes or individuals who absolutely need them. Review this list periodically to disable unwanted and unneeded access.
2: Limit Those with Write Permissions
“Never give write permissions to everyone. The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets. Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.
3: Block Access:
“Account administrators can also block public access to prevent anyone in their account from opening a bucket to the public regardless of S3 bucket policy.
AWS, which tightened its out-of-the-box security settings last year, also has a guide to maintaining a secure S3 bucket setup here.