Attackers abused cloud video platform to inject an e-skimmer into 100 Real Estate sites

Threat actors compromised more than 100 real estate websites belonging to the same parent company by implanting an e-skimmer.

Threat actors used an unnamed cloud video platform to install an e-skimmer on more than 100 real estate websites belonging to the same parent company.

In e-skimming attacks, attackers inject malicious JavaScript code into e-stores to financial data while visitors are purchasing products. Researchers from Palo Alto Networks documented a supply chain attack in which the attackers abused a cloud video platform to inject an e-skimmer hidden into video.

Every website importing the video from the platform was compromised due to the presence of the e-skimmer.

“With Palo Alto Networks proactive monitoring and detection services, we detected over 100 real estate sites that were compromised by the same skimmer attack.” reads the analysis published by Palo Alto Networks. “After analysis of the sites we identified, we found that all the compromised sites belong to one parent company. All these compromised sites are importing the same video (accompanied by malicious scripts) from a cloud video platform.”

The security firm helped the cloud video platform and the real estate firm in removing the e-skimmer.

The researchers have discovered that the cloud video platform allows users to create their players that could be customized by adding JavaScript code. The JavaScript customizations could be included in a file that is uploaded to the platform.

“In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.” continues the analysis.

The attackers were able to modify the static script at its hosted location by attaching e-skimmer code. By updating the player update, the video platform provided the compromised file and served it along with the customized player.

The software skimmer is highly polymorphic and elusive, experts pointed out that it is continuously updated by the authors.

The e-skimmer allows attackers to gather sensitive and financial information, including names, emails, phone numbers, and credit cards data.

Stolen data were uploaded to the server https://cdn-imgcloud[.]com/img.

The researchers shared Indicators of Compromise (IoCs) for these attacks.

“The skimmer itself is highly polymorphic, elusive and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” Palo Alto Networks concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, e-skimming)

[adrotate banner=”5″]

[adrotate banner=”13″]