Sotheby’s Realty. As a result, attackers managed to inject web skimmers and access the personal and financial data of visitors from the sites.

In a skimmer attack, threat actors insert malicious JavaScript code into a targeted website, payment page, or checkout page and steal valuable information, including credit card details of site users.

What are Web Skimmers?

According to researchers, threat actors injected skimmers (aka formjackers) in the targeted websites to steal private and financial information stored in website forms. 

SEE: 100s of schools at risk after Magecart attack on Wisepay

“The skimmer itself is highly polymorphic, elusive, and continuously evolving. “When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large,” researchers stated in their report.

Attack details

It has been confirmed that the attackers breached the Brightcove account of Sotheby’s and injected malicious code in the player by tampering with a script, which could be uploaded to add JavaScript customizations to that video player.

Brightcove, Inc. is a cloud-based online video platform operating from Boston, Massachusetts, United States. Sotheby’s on the other hand is one of Brightcove’s high-profile customers – It is worth noting that Brightcove itself was not compromised and the malicious video exploited in the attack was stored on a third-party solution.

According to Unit 42 researchers, attackers injected skimmer code into a video player. Consequently, the customer’s custom configuration of the player was compromised, thereby affecting only websites owned by that customer using the custom, compromised player.

In a statement to Hackread.com, Brightcove explained that:

“A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident.

Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts.”

This supply chain attack was immensely successful as attackers could infect over 100 websites. Palo Alto researchers notified the targeted cloud video platform and helped clear the infected pages.

SEE: How to check for websites hacked to run web skimming, magecart attack

“The attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” the report said.

Cloud video platform abused in web skimmer attack against real estate sites

Type of info that compromised real estate sites asked (left) – Malicious code resides in this HTML page. Skimmer Code Analysis (Right)

What Data was Stolen?

Malwarebytes reported that this campaign has been active since January 2021. Apparently, attackers have harvested critical personal details such as:

  1. Names
  2. email addresses 
  3. Phone numbers
  4. Credit card data

The information was exfiltrated to a remote server identified as “cdn-imgcloud[.]com.”  This server previously functioned as a collection domain for a MageCart attack that targeted Amazon CloudFront CDN in June 2019. Unit 42 researchers have published a full list of the Indicators of Compromised (IoCs) on a GitHub repository.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie