Hackers exploited a cloud video hosting provider to launch a supply chain attack on more than a hundred real estate websites, injecting malicious scripts to collect data from forms. Skimmers or formjackers are scripts routinely inserted into hacked websites to steal sensitive information submitted into forms. Skimmers are frequently used on online store checkout screens to steal payment details.
In a fresh supply chain attack uncovered by Palo Alto Networks Unit42, threat actors leveraged a cloud video hosting feature to insert skimmer malware into a video player. When a site embeds that video player, the malicious script is also included, which infects the website.
According to Unit42, this campaign hacked over 100 real estate sites, demonstrating a highly effective supply chain attack. The researchers alerted the cloud video platform and assisted the infected sites in clearing their pages, but this campaign exemplifies adversaries’ ingenuity and persistence.
The cloud video platform used in the attack allows users to construct video players that can be personalized with custom JavaScript scripts. A static JavaScript file housed on a distant server was employed in one such customized video player widely integrated on real estate websites. As per Unit42 researchers, the threat actors accessed the upstream JavaScript file and updated it to contain a malicious skimmer script.
The video player began sending the malicious script to all real estate websites that already had the player embedded with the next player update, allowing the script to steal sensitive information entered into website forms. Because the code is so obfuscated, it’s difficult to raise any concerns at first look or detected by less sophisticated security software.
After further investigation, Unit42 discovered that the skimmer captured victim names, email addresses, phone numbers, and credit card information. This stolen data is subsequently transferred to an attacker-controlled site, where threat actors can gather it and use it in future attacks. The three steps that make up its operational procedure are as follows:
- Check if the webpage has finished loading before calling the next function.
- Before saving the HTML document, read the client input information and execute a data-validation function.
- Create an HTML tag and fill the image source with the server URL to send the collected data to the C2 (https://cdn-imgcloud[.]com/img).
Palo Alto Networks has provided a comprehensive list of the IoCs (Indicators of Compromise) on this GitHub repository.