An unknown cloud video platform was used to insert web skimmer malware into over 100 real estate websites belonging to the same corporation. Skimmer attacks are becoming more common, and they entail the deployment of malicious JavaScript code to steal data from users on the targeted website.
“With Palo Alto Networks proactive monitoring and detection services, we detected over 100 real estate sites that were compromised by the same skimmer attack,” Palo Alto writes.
According to Palo Alto Networks, skimmer code was injected into a video as part of this current effort, causing it to be automatically integrated into sites that imported the video. The attack was likely because the exploited cloud video platform allows users to customize players with their JavaScript by uploading a JavaScript file incorporated in the player.
The threat actors used this function by providing a script that could be updated upstream, allowing them to inject malicious content after the player was built. “We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” Palo Alto Networks notes.
The JavaScript code was designed to identify credit card patterns, validate card numbers, collect card data, and transfer it to the attackers. It was highly obfuscated to mask its nefarious intent. The skimmer was also built to collect users’ personal information, such as names, phone numbers, and email addresses, as well as verify the data’s legitimacy and deliver it to the attackers’ command and control (C&C) server.
“From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server”.
Palo Alto Networks claims that the skimmer is highly polymorphic, mysterious, and ever-changing. A skimmer of this sort might have a huge impact when paired with cloud distribution platforms.