Researchers on Monday reported that they found a supply chain attack that leveraged an undisclosed cloud video platform to distribute the same formjacking (skimming) campaign on some 100 real estate sites.
Once making an analysis of the sites, Unit 42 found that all of the compromised sited belonged to one parent company. Palo Alto has since worked closely with the cloud video platform and the real estate company to help them remove the malware.
“We’re publishing this piece to alert organizations and web surfers of the potential for supply chain attacks to infect legitimate websites without the knowledge of those organizations,” said the researchers.
By injecting malicious code into front-end web pages, formjacking campaigns are a common way for threat actors to steal sensitive data, explained Hank Schless, senior manager, security solutions at Lookout. Schless said because the threat actor can customize the malicious form, they could easily slip in a field that’s tangentially aligned with the host website’s actual intention. For example, Schless said in this incident with the real estate site, the attacker could ask for all of the basic information, but add a line for the user’s social security number to validate their credit.
“This same tactic could be used to swipe corporate login credentials from employees,” Schless said. “Creating a fake log-in form would be just as straightforward as any other data-collecting form. Regardless of the intent, the greater lesson in this incident is that it’s necessary to know who has access to your cloud-based assets and how users are interacting with data. Whether it’s a front-end webpage or sensitive data stored in your back-end infrastructure, visibility is king.”
Chris Olson, chief executive officer at The Media Trust, added that formjacking attacks are not usually one-off, isolated incidents. He said more often, they represent widescale attacks that exploit third-party plug-ins to impact thousands of websites at a time.
“Third-party code is the real common denominator behind most web-based attacks: no matter what language it's built on top of, malicious actors will always find vulnerabilities to exploit,” Olson said. “As Unit 42’s write-up demonstrates, formjacking attacks are often obfuscated to evade detection by common blocking tools. In our experience, they are often polymorphic as well, changing or disappearing between sessions to dodge even advanced malware scanners. Organizations can’t depend on automated solutions alone, they need to vet their digital vendors and continually monitor the activity of their online domains.”