Researchers have discovered a severe supply-chain attack that plants web skimmers on real-estate websites via a cloud video hosting platform.
Video Platform Supply-Chain Attack Targets Real Estate
According to the post from Palo Alto Networks Unit 42, hackers are targeting real estate websites via a video platform.
Specifically, the researchers found over a hundred websites belonging to the same parent firm infected by the same web skimmer. Analyzing further revealed that those real estate websites imported the same malicious video from a cloud hosting platform.
Eventually, the researchers discovered that the threat actors behind this campaign had compromised the cloud platform to wage a supply-chain attack.
While assessing a compromised website, the researchers found a skimmer with a heavily obfuscated script in an iframe URL. They have shared the details of the script in their post.
Regarding how the attackers manipulated the video, the post reads,
When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.
Consequently, since the attacker altered the script at the hosted location, the subsequent platform update made the malicious video persist.
We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.
As for the skimmer, as expected, it aims to steal payment card details and other sensitive information. It then sends it to a server (with a low detection rate on VirusTotal).
For now, the researchers have helped remove the malware from the affected website and the cloud platform. Nonetheless, they still urge similar organizations and users to stay wary of such supply-chain attacks.