In brief: Security researchers report that a skimming campaign that started in April and was discovered in May might be more widespread than initially thought. As many as 17,000 websites may have had credit card skimmers injected into their payment screens.

On May 14, security firm RiskIQ discovered seven third-party web suppliers that had had their payment scripts injected with skimmer code. Since these providers supply vending scripts to other companies, thousands of websites might have been compromised. However, after monitoring the situation, researchers found that the scope of the attacks was much broader than initially reported.

The credit card skimming group Magecart is allegedly behind the injection campaign. You may recall Magecart as the group responsible for breaches spanning over the last several months into various companies including British Airways, Newegg, Quest Diagnostics, and others.

The hackers have reportedly automated their methods, which continually scan for misconfigured Amazon S3 buckets. The process looks for accounts that have their read/write privileges unsecured. It then runs a scan for any JavaScript files. The .js scripts are downloaded, appended with skimming code, and re-uploaded without alerting the websites or admins.

"The widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets."

Researchers refer to this as the “Shotgun Approach.” Magecart is favoring quantity over accuracy. Even though many of the injections will fail with this strategy, the group is counting on a small fraction to provide a substantial return.

"The widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets," said RiskIQ in a press release. "Without greater awareness and an increased effort to implement the security controls needed to protect the content stored in these buckets from theft or alteration by malicious attackers, there will be more—and more impactful—attacks using techniques similar [to Magecart's]."

This campaign has been going on since early April. RiskIQ has been monitoring the activity in cooperation with Amazon and has been notifying websites that have been attacked as they are discovered. So far the security group has uncovered numerous compromised S3 buckets affecting well over 17,000 websites. Several of the websites are list in the top 2,000 Alexa rankings.

RiskIQ urges S3 bucket owners to be sure their access controls are tight by whitelisting rather than blacklisting, strictly limiting write privileges, and enabling Amazon's public access filter. Amazon also has a page dedicated to informing users how to secure their S3 bucket resources.