- January 5, 2022
- Posted by: administrator
- Category: Credit Cards
Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.
These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information.
In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.
In total, Unit42 found over 100 real estate sites compromised by this campaign, showing a very successful supply chain attack.
The researchers notified the cloud video platform and helped the infected sites clear their pages, but this campaign is an example of the ingenuity and determination of adversaries.
Hacking once, infecting hundreds
On the next player update, the video player began serving the malicious script to all real estate sites that already had the player embedded, allowing the script to steal sensitive information inputted into website forms.
The code itself is highly obfuscated, so it’s unlikely to raise any suspicions at first glance or to be caught by unsophisticated security products.
Upon deeper analysis, Unit42 found that the skimmer steals victim names, email addresses, phone numbers, and credit card information. This stolen information is then sent back to an attacker-controlled server, where the threat actors can collect it for further attacks.
Its operational process can be summed up in the following three steps:
- Check whether the webpage load is done and call the next function.
- Read customer input information from the HTML document and call a data-validating function before saving it.
- Send the collected data to the C2 by creating an HTML tag and filling the image source with the server URL.
Palo Alto Networks has published a complete list of the IoCs (indicators of compromise) on this GitHub repository.
An elusive threat
This campaign deploys a polymorphic and continuously evolving skimmer that can’t be stopped using conventional domain name and URL blocking methods.
Instead, admins are advised to conduct regular web content integrity checks and use form-jacking detection solutions.
NOTE:: This article is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only