Web Skimming Attacks On Hundreds Of Real Estate Websites Deployed Through Cloud Video Hosting Service

Jessica Haworth January 05, 2022 at 14:56 UTC

Updated: January 05, 2022 at 14:57 UTC

Attackers exploit software supply chain to compromise high traffic sites

The web skimming attacks target hundreds of real estate websites through a cloud-based video hosting service, the researchers warned.

A blog post from Unit 42, the research arm of Palo Alto Networks, revealed how attackers use the service to conduct a supply chain attack to inject card-skimming malware into victims’ sites.

Web skimming attacks occur when malicious script is injected into sites to steal information entered into web forms.

Learn about the latest news on security vulnerabilities

For example, an online reservation form may request the personal data and payment information of a website user. If this site were vulnerable to skimming attacks, malicious actors could intercept the data.

The Unit 42 blog post reads: “Recently we discovered a supply chain attack exploiting a cloud video platform to distribute skimmer campaigns (also known as ‘formjacking’).

“In the case of the attacks described here, the attacker injected the skimmer’s JavaScript codes into the video, so whenever others upload the video, their websites are embedded with skimmer codes as well.”

YOU MAY LIKE US retailer PulseTV warns of apparent credit card data breach

Researchers explained how the skimmer infected websites, explaining that when the cloud platform user creates a video player, the user is allowed to add their own JavaScript customizations by uploading a .js file to include in his reader.

In this specific case, the user uploaded a script that could be edited upstream to include malicious content.

The message reads: “We infer that the attacker modified the static script at its hosted location by attaching a skimmer code. On the next player update, the video platform re-ingested the compromised file and served it with the affected player.

“From the analysis of the code, we know that the skimmer snippet tries to collect sensitive information about the victims such as names, emails, phone numbers and send them to a collection server. , https: // cdn-imgcloud[.]com / img, which is also marked as malicious in VirusTotal. “

Closing the backdoor

The websites in question were all owned by the same parent company, which has not been named.

Researchers at Unit 42 said they informed the organization and helped them remove the malware.

The blog post contains more technical information on the operation of the skimmer.

Trevor Morgan, Product Manager at comforte AG, commented, “As these types of attacks continue to evolve in sophistication and intelligence, companies must remain focused on what matters most: developing a defensive strategy that incorporates more perimeter-based security, assume that cloud-based services are inherently secure without due diligence, and prioritize emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to sensitive data sought by threat actors.

“Tokenizing data as soon as it enters your business workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get hold of it.” , either inadvertently or through coordinated attacks like this one. , sensitive information remains obscured so that threat actors cannot exploit it for profit. “

ADVISED Latest Web Hacking Tools – Q1 2022

Comments are closed.