Threat actors used an unnamed cloud video platform to install an e-skimmer on more than 100 real estate websites belonging to the same parent company.
Every website importing the video from the platform was compromised due to the presence of the e-skimmer.
“With Palo Alto Networks proactive monitoring and detection services, we detected over 100 real estate sites that were compromised by the same skimmer attack.” reads the analysis published by Palo Alto Networks. “After analysis of the sites we identified, we found that all the compromised sites belong to one parent company. All these compromised sites are importing the same video (accompanied by malicious scripts) from a cloud video platform.”
The security firm helped the cloud video platform and the real estate firm in removing the e-skimmer.
“In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.” continues the analysis.
The attackers were able to modify the static script at its hosted location by attaching e-skimmer code. By updating the player update, the video platform provided the compromised file and served it along with the customized player.
The software skimmer is highly polymorphic and elusive, experts pointed out that it is continuously updated by the authors.
The e-skimmer allows attackers to gather sensitive and financial information, including names, emails, phone numbers, and credit cards data.
Stolen data were uploaded to the server https://cdn-imgcloud[.]com/img.
The researchers shared Indicators of Compromise (IoCs) for these attacks.
“The skimmer itself is highly polymorphic, elusive and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” Palo Alto Networks concludes.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, e-skimming)