The threat of supply chain attacks keeps getting more real by the day. This time, real estate websites were under a supply chain attack via a unique attack vector. A cloud video platform was leveraged to propagate a web skimmer campaign.

Diving into details

Sotheby’s Brightcove account was breached by hackers who deployed a skimmer to pilfer payment card details from more than 100 websites. Sotheby’s was using the Brightcove video player to display previews of expensive real estate properties. While the attack was conducted last year, it has come to light only recently. The attackers added the skimmer scripts in a video, meaning that whenever others would import the video, their websites would get infected.

Why this matters

The malicious JavaScript code was highly obfuscated and was made to identify credit card patterns, verify credit card numbers, collect the data, and send it across to the operators. The skimmer was also capable of pilfering users’ personal data—such as names, email addresses, and phone numbers—checking the validity, and sharing it with the attackers’ C2 server. Palo Alto Networks stated that the skimmer is highly polymorphic, evasive, and continuously evolving. When brought together with cloud distribution platforms, this kind of skimmer can cause grave consequences.

What else?

As per Malwarebytes, the campaign began as early as January 2021 and the data collected was transferred to a remote server that also acted as a collection domain for a Magecart attack against Amazon CloudFront CDN in June 2019.

The bottom line

In order to detect and impede the injection of malicious codes into online platforms, organizations are advised to perform web content integrity checks on a regular basis. It is, furthermore, recommended that they defend accounts from takeover attempts and keep an eye out for possible social engineering schemes.

Cyware Publisher