If you check page source of https://my.games, you can notice that site gets static files (scripts, styles, images) using following URL declaration:
https://my.games/hotbox/mygames/frontend/v3-6-13/img/share/main.png
mygames here is a name of S3 bucket.
After creating own S3 bucket in AWS and using https://my.games/hotbox/BUCKET_NAME/, I got βNoSuchBucketβ error.
But my comrade investigated, that hotbox is one of the available types of S3 bucket in MCS.
β¦
https://my.games/hotbox/foobar1337/oops.html
{F828044}
An attacker can host any malicious file on my.games domain.