Application Security , Incident & Breach Response , Next-Generation Technologies & Secure Development

Formjacking Campaign Leverages Cloud Video Platform

Attacker Targeted Hundreds of Real Estate Websites
Formjacking Campaign Leverages Cloud Video Platform

A new supply chain attack is targeting hundreds of real estate websites by injecting card-skimming malware into a cloud video platform.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Researchers at Palo Alto's research arm, Unit 42, describe in a blog post how numerous users of an unnamed real estate company were susceptible to formjacking attacks, which use malicious JavaScript code to skim credit card and other customer data from payment pages and send that information to the attackers.

The news site Hackread reports that hundreds of the affected real estate websites were operated by Sotheby’s Realty, and it says that the attackers breached the Brightcove video account of Sotheby’s and injected malicious code in the video player after tampering with a script that could be uploaded to add JavaScript customizations to that player.

However, Brightcove subsequently contacted Information Security Media Group to clarify that while the attack occurred through a compromised file that was uploaded, the attack did not originate from within Brightcove and says that no Brightcove players or accounts were accessed. A Brightcove spokesperson told ISMG: "A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident. Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts."

Attack Analysis

Brightcove is a cloud-based online video platform operating from Boston, Massachusetts; it is understood to serve the 900 plus global franchise holders of New Jersey, United States headquartered Sotheby’s Realty, a luxury real estate brand founded by Sotheby's fine art dealers and run jointly with US-based Realogy Holdings Corp. While Unit 42 did not say where the websites attacked or compromised were located, they did say ‘hundreds’ of websites were targeted, making it likely the targets were global.

The researchers say the attacker injected the skimmer JavaScript codes into video so that whenever users imported the video, their websites also get embedded with skimmer codes.

More than 100 real estate sites were reported by Unit 42 to have been compromised by the same skimmer attack.

The researchers say an attacker can inject malicious code into the player of the cloud video platform because when the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this attack, they say, the user uploaded a custom script that could be modified upstream to include malicious content in the form of skimmer code.

"From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal," the researchers say.

On further analysis of the sites, the researchers confirmed that the compromised sites belong to one parent company and that these sites were importing the same video - accompanied by malicious scripts - from a cloud video platform.

Casting a Wide Net

"Supply chain attacks come in many shapes and forms. While most of the headline-grabbing attacks are often targeted against large organizations, there are many instances where criminals will cast a wider net to infect as many organizations as possible," says Javvad Malik, security awareness advocate at security firm KnowBe4.

The researchers at Unit 42 say that the skimmer used is highly polymorphic, elusive and continuously evolving. When combined with cloud distribution platforms, they say, a skimmer of this type can have a very large impact.

"We have to invent more sophisticated strategies to detect skimmer campaigns of this type, since merely blocking domain names or URLs used by skimmers is ineffective," the researchers say.

No Easy Fix

Malik says that many industries use shared services for documents, videos and photos. "These are often most susceptible to attack and can go undetected for longer," he says, and he recommends that organizations carefully vet third parties and use monitoring controls to check for unexpected behavior.

"Unfortunately, there isn't an easy fix for supply chain attacks, and it involves all concerned parties to do their part in ensuring everyone remains secure," Malik says.

The researchers say that they worked with the cloud video platform and the real estate company to help remove this malware prior to the publication of their blog post and add: "We're publishing this piece to alert organizations and web surfers of the potential for supply chain attacks to infect legitimate websites without the knowledge of those organizations."

They recommend that website administrators safeguard any accounts and ensure they manage permissions well to avoid theft by phishing or social engineering. They also say users should conduct web content integrity checks on a regular basis to help detect and prevent injection of malicious code into the website content.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.