Hello, welcome to the Monday, July 15th, 2019 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and the time recording from Swinton, England.

Magerd is just not going away, and the latest version of this thread was written up in a nice blog post by Jonathan Kleinsma.

MageCard usually manifests itself in a JavaScript library being injected into checkout

pages in order to steal payment card data.

Now in the past, one of the favorite modes for M MageCard to operate was essentially as a supply chain attack.

The website itself wasn't as much a target as in many cases libraries that these websites included.

While there are a number of different Magecard families out there, the one that

probably caused the most of concern was the one that would inject itself into various tracking

scripts and the like, and then websites would include this JavaScript, including the malicious

mageard part.

Now, the latest version of this is sort of a little bit of different kind of supply chain

attack, not necessarily going after third-party libraries, but in general going after

open S3 buckets.

Now, Amazon's S3 service has had a number of issues with attackers finding readable buckets.

In this case, the attacker needs to find a bucket that's not only readable, but also writable.

And this particular group will then inject this magecard JavaScript into

whatever writeable JavaScript file they can find as risk IQ points out that this of

course will hit a large number of websites that don't even deal with payment card data

or not even the pages that

actually received the data, but still probably successful enough by just emphasizing

quantity over quality, which is a little bit of different approach for Mage card.

...