Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns.
The unpatched affected websites host emergency services-related content and chat forums catering to firefighters, police officers, and security professionals, per RiskIQ.
The cyber firm said it hasn’t heard back from Endeavor Business Media despite reaching out to the company to address the issues.
As a consequence, it’s working with Swiss non-profit cybersecurity firm Abuse.ch to sinkhole the malicious domains associated with the campaign.
Amazon S3 (short for Simple Storage Service) is a scalable storage infrastructure that offers a reliable means to save and retrieve any amount of data via a web services interface.
Last July, RiskIQ uncovered a similar Magecart campaign leveraging misconfigured S3 buckets to inject digital credit card skimmers on 17,000 domains.
“We first identified the jqueryapi1oad malicious redirector — so named after the cookie we connected with it — in July of 2019,” the researchers said. “Our research team determined that the actors behind this malicious code were also exploiting misconfigured S3 buckets.”
“The domain futbolred[.]com is a Colombian soccer news site that’s in the top 30,000 of global Alexa rankings. It also misconfigured an S3 bucket, leaving it open to jqueryapi1oad,” the researchers said.
To mitigate these threats, RiskIQ recommends securing S3 buckets with the right level of permissions, in addition to using Access Control Lists (ACLs) and bucket policies to grant access to other AWS accounts or to public requests.
“Misconfigured S3 buckets that allow malicious actors to insert their code into numerous websites is an ongoing issue,” RiskIQ concluded. “In today’s threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured.”