Attackers leverage software supply chain to compromise high-traffic sites
Web skimming attacks are targeting hundreds of real estate websites via a cloud-based video hosting service, researchers have warned.
Web skimming attacks occur when malicious script is injected into sites to steal information entered into web forms.
For example, an online booking form might ask for a website user’s personal details and payment information. If this site was vulnerable to skimming attacks, the malicious actors could intercept the data.
The Unit 42 blog post reads: “Recently, we found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka ‘formjacking’) campaigns.
In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.
The post reads: “We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.
“From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal.”
Closing the backdoor
The websites in question were all owned by the same parent company, which hasn’t been named.
Unit 42 researchers said they have informed the organization and have helped them to remove the malware.
The blog post contains more technical information on how the skimmer operates.
Trevor Morgan, product manager at comforte AG, commented: “As these types of attacks continue to evolve in sophistication and cleverness, enterprises need to remain focused on the basics: develop a defensive strategy incorporating more than just perimeter-based security, don’t assume that cloud-based services are inherently safe without proper due diligence, and put a priority on emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to the sensitive data that threat actors are after.
“Tokenizing data as soon as it enters your enterprise workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get ahold of it, either inadvertently or through coordinated attacks like this one, the sensitive information remains obfuscated so that threat actors cannot leverage it for gain.”
RECOMMENDED Latest web hacking tools – Q1 2022