A new web skimmer campaign has targeted real estate websites by attacking the cloud video distribution supply chain, according to Unit 42 research.


Often, supply chain networks are targets since controlling a weak link in the supply chain allows attackers access to more victims, especially when the weak link is the source of the supply chain. In this case, the attacker injected the skimmer JavaScript codes into the video, so whenever others import the footage, their websites get embedded with skimmer codes.


Hank Schless, Senior Manager, Security Solutions at Lookout, an endpoint-to-cloud security company, explains, “By injecting malicious code into front-end web pages, formjacking campaigns are a common way for threat actors to steal sensitive data. Since the actor can customize the malicious form, they could easily slip into a field that’s tangentially aligned with the host website’s actual intention. For example, in this incident with a real estate site, the attacker could ask for all of the basic information but add a line for the user’s social security number to validate their credit. This same tactic could be used to swipe corporate login credentials from employees. Creating a fake login form would be just as straightforward as any other data-collecting form.”


Unit 42 researchers detected more than 100 real estate sites that were compromised by the same skimmer attack. After analysis, researchers found that all the compromised sites belong to one parent company, Sotheby’s. All these compromised sites are importing the same video (accompanied by malicious scripts) from a cloud video platform.


The compromise-one-to-compromise-many is an emerging tactic across commodity malware and low-level cybercriminals. The problem is rooted in how interconnected our digital systems have become, says Davis McCarthy, Principal Security Researcher at Valtix, a cloud-native network security services provider. “Detecting supply chain compromise in the cloud is difficult because visibility isn’t shared equally across all involved parties; the account holder, the SaaS provider, the compromised website owner, and the victimized end user. Abuse is injected into the trust inherited by each party leading to a massive visibility gap. Across the board, detecting abnormal authentication events, monitoring for suspicious domain queries, leveraging threat intelligence to prevent known threats, and auditing deployed services can aid in mitigating this level of compromise.”


Regardless of the intent, Schless says, the greater lesson in this incident is that it’s necessary to know who has access to your cloud-based assets and how users interact with data. He adds, “Whether it’s a front-end webpage or sensitive data stored in your back-end infrastructure, visibility is king. As every organization expands its web and cloud-based presence, they need to be sure that security is part of developing and managing these modern assets. Integrating security into the mindset of every team will benefit the organization as a whole, and implementing the right solutions that protect your employees, users, and data without increasing operational complexity is a key aspect of any modern security strategy.”


In 2018, Sotheby’s revealed that its website had been infected with magecart for 19 months, and also admitted the attack period could have been even longer than 19 months. Nadav Levy, senior product manager of Cyberpion, says, “It is clear that Sotheby’s didn’t fully rectify the situation since their initial Magecart attack in 2018. Formjacking a very common and effective technique in supply chain attacks. Now more than ever, it is critical for companies to continually monitor their supply chains to prevent repeat attacks. In addition, companies need to periodically load their scripts to check if they have been manipulated. They should also inspect to see if scripts are being added to pages and then report or block unintended behavior.”