New Web Skimmer Campaign Exploiting Cloud Video Distribution Supply Chain to Target Real Estate Sites.
Palo Alto Networks’ Unit 42 researchers have identified a new campaign where attackers leveraged a cloud video hosting service powered by Brightcove to launch a supply chain attack on over one hundred real estate websites operated by Sotheby’s Realty. As a result, attackers managed to inject web skimmers and access the personal and financial data of visitors from the sites.
In a skimmer attack, threat actors insert malicious JavaScript code into a targeted website, payment page, or checkout page and steal valuable information, including credit card details of site users.
What are Web Skimmers?
According to researchers, threat actors injected skimmers (aka formjackers) in the targeted websites to steal private and financial information stored in website forms.
SEE: 100s of schools at risk after Magecart attack on Wisepay
“The skimmer itself is highly polymorphic, elusive, and continuously evolving. “When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” researchers stated in their report.
Attack details
The modus operandi of the campaign involved attackers injecting malicious code in the player by tampering with a script, which could be uploaded to add JavaScript customizations to that video player.
For your information, Brightcove, Inc. is a cloud-based online video platform operating from Boston, Massachusetts, United States. Sotheby’s on the other hand is one of Brightcove’s high-profile customers – It is worth noting that Brightcove itself was not compromised and the malicious video exploited in the attack was stored on a third-party solution.
According to Unit 42 researchers, attackers injected skimmer code into a video player. Consequently, the customer’s custom configuration of the player was compromised, thereby affecting only websites owned by that customer using the custom, compromised player.
In a statement to Hackread.com, Brightcove explained that:
“A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident.
Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts.”
This supply chain attack was immensely successful as attackers could infect over 100 websites. Palo Alto researchers notified the targeted cloud video platform and helped clear the infected pages.
SEE: How to check for websites hacked to run web skimming, magecart attack
“The attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” the report said.
What Data was Stolen?
Malwarebytes reported that this campaign has been active since January 2021. Apparently, attackers have harvested critical personal details such as:
- Names
- email addresses
- Phone numbers
- Credit card data
The information was exfiltrated to a remote server identified as “cdn-imgcloudcom.” This server previously functioned as a collection domain for a MageCart attack that targeted Amazon CloudFront CDN in June 2019. Unit 42 researchers have published a full list of the Indicators of Compromised (IoCs) on a GitHub repository.
Article updated with corrections and a statement from Brightcove.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.
