RiskIQ has monitored the compromise of S3 buckets since the campaign began in April 2019. The company has been working with Amazon and affected parties to address the injections and misconfigured S3 instances as they observe them.

According to the report, the actors behind the attack have automated the process of simultaneously compromising over 17,000 domains with skimmers by actively scanning for misconfigured Amazon S3 buckets. Because these buckets are misconfigured, they are unsecure and anyone with an Amazon Web Services account can read or write content to them.
This attack introduces yet another method by Magecart that RiskIQ researchers call a "spray and pray" approach. Because skimmers only work when placed on payment/checkout pages, most Magecart attacks target specific e-commerce sites and attempt to drop a skimmer only on pages with payment forms. However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will yield a substantial return on investment.

"This is a brand new twist on Magecart," said Yonathan Klijnsma, head threat researcher at RiskIQ. "Although this group chose reach over targeting, they likely ended up getting their skimmer on enough payment pages to make their attack lucrative. They've done their cost-benefit analysis."

The scale of this attack illustrates how easy it is for threat actors of any kind to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets. RiskIQ researchers stress that without greater awareness and an increased effort to implement security controls needed, there will be more attacks using techniques similar to the ones outlined in this blog.

Adding to the gravity of the Magecart threat, the S3 bucket method comes to light as the first post-GDPR fine was imposed against British Airways for the Magecart breach of its website, which RiskIQ also exposed. The proposed amount of £183m represents 1.5% of BA's 2017 revenues and dwarfs the largest pre-GDPR fine levied by the UK's Information Commissioner's Office (ICO) of £500,000.

"The proposed £183m fine against British Airways for the breach of its website by Magecart represents 1.5% of its 2017 revenues, which is astronomically larger than any pre-GDPR fine," said Lou Manousos, RiskIQ CEO. "With the recent explosion of web and browser-based threats, this precedent should have organisations re-evaluating their current security strategy for dealing with threats beyond the firewall.”