Jan 6, 2022
0 0

Cloud video platform abused in web skimmer attack against real estate sites

Written by

Tags, , , , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

Palo Alto Networks’ Unit 42 researchers have identified a new campaign where attackers leveraged a cloud video hosting service powered by Brightcove to launch a supply chain attack on over one hundred real estate websites operated by Sotheby’s Realty. As a result, attackers managed to inject web skimmers and access the personal and financial data of visitors from the sites.
In a skimmer attack, threat actors insert malicious JavaScript code into a targeted website, payment page, or checkout page and steal valuable information, including credit card details of site users.
According to researchers, threat actors injected skimmers (aka formjackers) in the targeted websites to steal private and financial information stored in website forms. 
SEE: 100s of schools at risk after Magecart attack on Wisepay
“The skimmer itself is highly polymorphic, elusive, and continuously evolving. “When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” researchers stated in their report.
The modus operandi of the campaign involved attackers injecting malicious code in the player by tampering with a script, which could be uploaded to add JavaScript customizations to that video player.
For your information, Brightcove, Inc. is a cloud-based online video platform operating from Boston, Massachusetts, United States. Sotheby’s on the other hand is one of Brightcove’s high-profile customers – It is worth noting that Brightcove itself was not compromised and the malicious video exploited in the attack was stored on a third-party solution.
According to Unit 42 researchers, attackers injected skimmer code into a video player. Consequently, the customer’s custom configuration of the player was compromised, thereby affecting only websites owned by that customer using the custom, compromised player.
In a statement to Hackread.com, Brightcove explained that:
“A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident.
Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts.”
This supply chain attack was immensely successful as attackers could infect over 100 websites. Palo Alto researchers notified the targeted cloud video platform and helped clear the infected pages.
SEE: How to check for websites hacked to run web skimming, magecart attack
“The attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” the report said.
Type of info that compromised real estate sites asked (left) – Malicious code resides in this HTML page. Skimmer Code Analysis (Right)
Malwarebytes reported that this campaign has been active since January 2021. Apparently, attackers have harvested critical personal details such as:
The information was exfiltrated to a remote server identified as “cdn-imgcloud[.]com.”  This server previously functioned as a collection domain for a MageCart attack that targeted Amazon CloudFront CDN in June 2019. Unit 42 researchers have published a full list of the Indicators of Compromised (IoCs) on a GitHub repository.
Article updated with corrections and a statement from Brightcove.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.