Home News New Magecart attack affects 17,000 sites

New Magecart attack affects 17,000 sites

Data leak

A hacker group named Magecart, a website and card skimming group, is being held responsible for the recent data breach that impacted several websites by injecting malicious code.

According to a report from threat intelligence firm RiskIQ, the hackers used a “spray-and-pray” approach to compromise and plant malicious code on over 17,000 domains since April 2019. RiskIQ stated the attackers have been active in web skimming for a long time and started compromising unsecured S3 buckets in early April.

By compromising a few sites, the malicious code spread to thousands of other sites, including Picreel, Alpaca Forms, AppLixir, RYVIU, OmniKick, eGain, and AdMaxim.

“The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them,” RiskIQ said in a statement.

“RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019. We’ve been working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as we observe them,” the statement added.

Earlier, the hacker group is responsible for the data breach that impacted 201 online campus stores in the United States and Canada. According to the cybersecurity firm Trend Micro, the attackers allegedly used a skimming script, a malicious code, designed to steal the data from 201 online stores that were catering to 176 colleges and universities in the U.S. and 21 in Canada.

The security researchers at Trend Micro stated that they detected the attack, dubbed as Magecart attack, against multiple campus online store websites on April 14, 2019, which were injected with a malicious skimming at their payment checkout pages. The hackers use skimming script to compromise the card information and personal details entered on the payment page by users. Trend Micro stated the attackers also compromised PrismWeb, an e-commerce platform designed for college stores by PrismRBS.