More S3 Buckets Compromised with Magecart and Malicious Redirector

Security researchers are once again warning website owners to ensure any cloud storage resources linked to their site are locked down, after discovering Magecart and malicious redirector code lurking in misconfigured S3 buckets.

RiskIQ threat researcher, Jordan Herman, said his team made the discovery on May 12, after finding Magecart code residing on three websites all run by a company known as Endeavor Business Media. They apparently host content and chat forums designed for firefighters, police officers and security professionals.

Alongside Magecart they found a malicious redirector dubbed “jqueryapi1oad” which they first discovered back in July 2019 on compromised S3 buckets that had also been seeded with digital skimming code.

On closer inspection, RiskIQ discovered the redirector first appeared in April of last year and is still in use, connected with 362 unique domains.

It’s linked to the Hookads malvertising campaign that Herman claimed “has historically been connected to exploit kits and other malicious behavior.”

They found the redirector on other sites with misconfigured S3 buckets, including a Colombian football news site that’s in the top 30,000 global Alexa rankings. So far, 277 sites have been identified as affected by jqueryapi1oad, potentially exposing countless unsuspected web users.

“As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative,” argued Herman.

“In today’s threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured.”

Back in July 2019, RiskIQ warned that attackers were actively scanning for misconfigured S3 buckets to spread malicious code, seeding skimming code into AWS instances associated with 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world.

The latest discovery proves such attacks are ongoing, and represent an immediate threat to organizations.

What’s Hot on Infosecurity Magazine?