Researchers reported on Monday that they uncovered a supply chain attack that used an undisclosed cloud video platform to deliver the same formjacking (skimming) campaign to around 100 real estate sites.
After the site analysis, Unit 42 found that all of the compromised sites belonged to a single parent company. Palo Alto has since worked closely with the cloud video platform and real estate company to help them remove the malware.
“We are publishing this article to alert organizations and Internet users to the potential for supply chain attacks to infect legitimate websites without the knowledge of these organizations,” the researchers said.
By injecting malicious code into front-end web pages, formjacking campaigns are a common way for threat actors to steal sensitive data, explained Hank Schless, senior director of security solutions at Lookout. Schless said that because the threat actor can customize the malicious form, it could easily slip into a field that is tangentially aligned with the actual intent of the host website. For example, Schless said in this incident with the real estate site, the attacker could ask for all basic information, but add a line for the user’s social security number to validate their credit.
“This same tactic could be used to sweep employees’ corporate login credentials,” Schless said. “Creating a fake login form would be as easy as any other data collection form. Regardless of intent, the biggest lesson from this incident is that it is necessary to know who has access to your based assets. on the cloud and how users interact with the data Whether it’s a front-end web page or sensitive data stored in your back-end infrastructure, visibility is paramount.
Chris Olson, managing director of The Media Trust, added that formjacking attacks are usually not one-off, isolated incidents. He said more often they represent large-scale attacks that leverage third-party plugins to affect thousands of websites at once.
“Third-party code is the real common denominator behind most web attacks: no matter what language it’s built on, malicious actors will always find vulnerabilities to exploit,” Olson said. “As the Unit 42 article demonstrates, form hijacking attacks are often obfuscated to evade detection by common blocking tools. In our experience, they are also often polymorphic, changing or disappearing between sessions to dodge even advanced malware scanners. Organizations cannot rely solely on automated solutions, they must control their digital providers and constantly monitor the activity of their online domains. »