Magecart skimmers found on Amazon CloudFront CDN
Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network (CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers. The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent supply-chain attacks. RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another (ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.