Researchers on Monday reported that they found a supply chain attack that leveraged an undisclosed cloud video platform to distribute the same formjacking (skimming) campaign on some 100 real estate sites.
In a blog post by Palo Alto’s Unit 42, the researchers said the cybercriminals injected malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive data. For the attacks covered in the research, the JavaScript codes were injected into video so when others import the video, their websites also get embedded with skimmer codes.
Once making an analysis of the sites, Unit 42 found that all of the compromised sited belonged to one parent company. Palo Alto has since worked closely with the cloud video platform and the real estate company to help them remove the malware.
“We’re publishing this piece to alert organizations and web surfers of the potential for supply chain attacks to infect legitimate websites without the knowledge of those organizations,” said the researchers.
By injecting malicious code into front-end web pages, formjacking campaigns are a common way for threat actors to steal sensitive data, explained Hank Schless, senior manager, security solutions at Lookout. Schless said because the threat actor can customize the malicious form, they could easily slip in a field that’s tangentially aligned with the host website’s actual intention. For example, Schless said in this incident with the real estate site, the attacker could ask for all of the basic information, but add a line for the user’s social security number to validate their credit.
“This same tactic could be used to swipe corporate login credentials from employees,” Schless said. “Creating a fake log-in form would be just as straightforward as any other data-collecting form. Regardless of the intent, the greater lesson in this incident is that it’s necessary to know who has access to your cloud-based assets and how users are interacting with data. Whether it’s a front-end webpage or sensitive data stored in your back-end infrastructure, visibility is king.”
Jake Williams, co-founder and CTO at BreachQuest, said any time a threat actor can insert JavaScript into a website visited by a victim the threat actor effectively has complete control over the browser actions on the site. As such, Williams said the impact depends on the types of sites that threat actors can embed their malicious code in. As noted by the Unit 42 researchers, formjacking attacks usually divert or copy data intended to be submitted to the legitimate site to a threat actor controlled server.
“So the impact of a formjacking attack in most cases will be guided by the types of data legitimately submitted on the site,” Williams said. “In the specific instance where threat actors targeted real-estate sites and users wouldn’t typically be providing much sensitive information, it’s not clear what specific impact a formjacking attack would have. However, we can imagine situations in which a real-estate site might link to mortgage lenders. Once the threat actor has injected JavaScript into the website through the video player, they control the destination of those links and might leverage that to collect more sensitive information from visitors. Due to the characterization of the original real-estate victim, tricking users into supplying high-impact data on the website seems unlikely.”
Chris Olson, chief executive officer at The Media Trust, added that formjacking attacks are not usually one-off, isolated incidents. He said more often, they represent widescale attacks that exploit third-party plug-ins to impact thousands of websites at a time.
“Third-party code is the real common denominator behind most web-based attacks: no matter what language it's built on top of, malicious actors will always find vulnerabilities to exploit,” Olson said. “As Unit 42’s write-up demonstrates, formjacking attacks are often obfuscated to evade detection by common blocking tools. In our experience, they are often polymorphic as well, changing or disappearing between sessions to dodge even advanced malware scanners. Organizations can’t depend on automated solutions alone, they need to vet their digital vendors and continually monitor the activity of their online domains.”
