According to Unit 42 researchers, attackers injected skimmer code into a video player and when a site embedded that player, it also embedded the malicious script and got infected.
Palo Alto Networks’ Unit 42 researchers have identified a new campaign where attackers exploited a cloud video hosting service to launch a supply chain attack on over one hundred real estate websites operated by Sotheby’s Realty. As a result, skimmers were injected, and sensitive personal data was stolen from the sites.
What are Web Skimmers?
According to researchers, threat actors injected malicious scripts inject skimmers or formjackers in the targeted websites to steal private and financial information stored in website forms.
It is common to inject skimmers into hacked websites to extract sensitive information entered into forms. These scripts are also injected on checkout pages of online marketplaces to steal payment data.
SEE: 100s of schools at risk after Magecart attack on Wisepay
“The skimmer itself is highly polymorphic, elusive, and continuously evolving. “When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” researchers stated in their report.
According to Unit 42 researchers, attackers injected skimmer code into a video player. Consequently, when a site embedded that player, it also embedded the malicious script and got infected.
This supply chain attack was immensely successful as attackers could infect over 100 websites. Palo Alto researchers notified the targeted cloud video platform and helped clear the infected pages.
SEE: How to check for websites hacked to run web skimming, magecart attack
“The attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” the report said.
What Data was Stolen?
Malwarebytes reported that this campaign has been active since January 2021. Apparently, attackers have harvested critical personal details such as:
- email addresses
- Phone numbers
- Credit card data
The information was exfiltrated to a remote server identified as “cdn-imgcloud[.]com.” This server previously functioned as a collection domain for a MageCart attack that targeted Amazon CloudFront CDN in June 2019. Unit 42 researchers have published a full list of the Indicators of Compromised (IoCs) on a GitHub repository.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.