Last Updated on 06/01/2022 by Sanskriti
Researchers have warned that hundreds of real estate websites are being targeted by online skimming attacks using a cloud-based video storage service.
Attackers are utilizing the service to carry out a supply chain assault to insert card skimmer malware onto target sites, according to a blog post from Unit 42, Palo Alto Networks’ research arm.
When a malicious software is placed into websites in order to steal information submitted into online forms, this is known as web skimming.
A website user’s personal information and financial information, for example, maybe requested via an online booking form. The hostile actors may intercept the data if this site was exposed to skimming attempts.
“Recently, we found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka ‘formjacking’) campaigns,” according to the Unit 42 blog post.
“In the case of the attacks described here, the attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well.”
The researchers explained how the skimmer infected the websites, saying that when a user of the cloud platform installs a video player, they may add their own JavaScript modifications by submitting an a.js file to be included in the player.
In this case, the user-submitted a script that might be updated to incorporate malicious code upstream.
The post says, “We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.
“From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal.”
The affected websites were all owned by the same parent business, which has not been identified.
According to Unit 42 researchers, they notified the organization and assisted them in removing the infection.
More technical information about how the skimmer works may be found in the blog article.
“As these types of attacks continue to evolve in sophistication and cleverness, enterprises need to remain focused on the basics: develop a defensive strategy incorporating more than just perimeter-based security, don’t assume that cloud-based services are inherently safe without proper due diligence, and put a priority on emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to the sensitive data that threat actors are after.
“Tokenizing data as soon as it enters your enterprise workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get ahold of it, either inadvertently or through coordinated attacks like this one, the sensitive information remains obfuscated so that threat actors cannot leverage it for gain,” product manager at comforte, Trevor Morgan said.
