Hackers Use Video Players in Websites to Steal Sensitive User Information

On real estate websites recently the threat actors have placed a malicious script that steals sensitive data, that is entered by the user in the targeted website.

Here in this event, the hackers have targeted the cyberattacks on supply chains, and to perform this, they have used a cloud-based video hosting service. 

A research unit of Palo Alto Networks, Unit 42 has reported that hackers are insinuating malicious JavaScript code into videos. And at this point when the video is imported to other sites in which the skimmer codes are embedded.

Moreover, the hackers have compromised more than 100 real estate websites in this malicious campaign which clearly depicts that it’s a clear successful supply chain attack.

Infecting multiple by hacking once 

Apart from this, Skimmer attacks are also known as formjacking, and in these cyber attacks, the hackers inject malicious JavaScript into a target website. Here they target the checkout or payment pages on shopping and e-commerce portals to steal sensitive user data like:-

  • Debit Card Information
  • Credit Card information
  • Email
  • Physical Address
  • Date of Birth
  • CC CVV
  • DC CVV
  • Name
  • Phone Number

The websites that are in question are owned by the same parent company, and the experts at Unit 42 have not disclosed the name of the company. What they did is they helped the company to remove the malware.

To include a malicious skimmer script the hackers modified the upstream JavaScript file and gained access to it. Now once done with this, the video player starts serving malicious script since the hackers keep the next player update loaded with malicious script.

The real estate website that had the player embedded are served with the malicious script through which the threat actors steal all the sensitive user inputs that are made by the users into the website forms.

Operational process

Here we have simplified the operational process of it in a few simple steps, and here we have mentioned below:-

  • First of all, it checks whether the webpage load is done or not.
  • Then it calls the next function.
  • After that, from the HTML document, it read and steals all the user inputs.
  • Once done with the above step, now it calls a data-validating function before saving it.
  • Lastly, by creating an HTML tag and filling the image source with the server URL, all the stolen data collected are sent to the C2 (https://cdn-imgcloud[.]com/img).

So, the experts have strongly recommended website admins to not trust blindly all the JavaScript scripts that are embedded on their sites.

While what they have advised admins to follow is regularly conduct web content integrity checks, and along with that use form-jacking detection solutions.

You can follow us on Linkedin, TwitterFacebook for daily Cybersecurity and hacking news updates.

Posted by Charlie