Attackers leverage software supply chain to compromise high-traffic sites

Web skimming attacks on hundreds of real estate websites deployed via cloud video hosting service

Web skimming attacks are targeting hundreds of real estate websites via a cloud-based video hosting service, researchers have warned.

A blog post from Unit 42, the research arm of Palo Alto Networks, revealed how attackers are using the service to carry out a supply chain attack to inject card skimming malware onto victim sites.

Web skimming attacks occur when malicious script is injected into sites to steal information entered into web forms.

Read more of the latest news about security vulnerabilities

For example, an online booking form might ask for a website user’s personal details and payment information. If this site was vulnerable to skimming attacks, the malicious actors could intercept the data.

The Unit 42 blog post reads: “Recently, we found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka ‘formjacking’) campaigns.

“In the case of the attacks described here, the attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well.”

YOU MIGHT LIKE US retailer PulseTV warns of apparent credit card data breach

The researchers detailed how the skimmer infected the websites, explaining that when the cloud platform user creates a video player, the user is allowed to add their own JavaScript customizations by uploading a .js file to be included in their player.

In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.

The post reads: “We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.

“From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal.”

Closing the backdoor

The websites in question were all owned by the same parent company, which hasn’t been named.

Unit 42 researchers said they have informed the organization and have helped them to remove the malware.

The blog post contains more technical information on how the skimmer operates.

Trevor Morgan, product manager at comforte AG, commented: “As these types of attacks continue to evolve in sophistication and cleverness, enterprises need to remain focused on the basics: develop a defensive strategy incorporating more than just perimeter-based security, don’t assume that cloud-based services are inherently safe without proper due diligence, and put a priority on emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to the sensitive data that threat actors are after.

“Tokenizing data as soon as it enters your enterprise workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get ahold of it, either inadvertently or through coordinated attacks like this one, the sensitive information remains obfuscated so that threat actors cannot leverage it for gain.”

RECOMMENDED Latest web hacking tools – Q1 2022