Misconfigured Amazon Web Services Inc. S3 cloud storage instances have long been a source of data breaches, but in a dangerous new twist, those same instances are now being exploited by a hacking group to steal credit card data.

Discovered by security researchers at RiskIQ Inc. and revealed Wednesday, the new attacks involve a Magecart gang injecting exposed instances with skimmer code. Once inserted into an S3 instance linked to a website, the code can then potentially infect a website and steal payments made by customers.

Magecart emerged last year with an attack on British Airways Plc. The attacks involve inserting code into payment gateways to steal card data and have been highly successful. Victims include Newegg Inc., the Infowars Store, Cathay Pacific Airways Ltd.,  Ticketmaster Entertainment Inc. and Oxo International Ltd.

The new attacks targeting the S3 storage service may see the list of companies affected reach into five figures. The security researchers noted that the new attacks have managed to compromise a vast collection of S3 storage buckets linked to more than 17,000 domains, including some among the top 2,000 websites.

What isn’t noted is which Magecart group is behind the attacks or whether this could be a new Magecart gang. Multiple hacking groups are known to be using Magecart techniques, including Magecart Group 12 that targeted advertising sites detailed in a report Jan. 16.

One unique feature of the S3 attacks is that the group is using a “spray and pray” technique as opposed to previous attacks that were highly targeted. In this case, the Magecart group is installing the skimmer code on any open S3 instances it can find in the hope that some of them may be linked to sites that have e-commerce functions.

Not surprisingly, the security researchers are once again calling for greater awareness of the risks involved with misconfigured cloud storage, particularly on AWS.

More attacks are likely ahead, said Deepak Patel, security evangelist at threat protection technology firm PerimeterX Inc., who told SiliconANGLE that Magecart attacks are only accelerating.

“Digital skimming is the fastest growing attack type because cybercriminals always follow the money,” Patel said. “Enterprises need to better protect their web properties from client-side attacks to prevent the risk of massive fines, as in the case of the British Airways GDPR fine, and damage to brand reputation.”

Image: Maxpixel