Credit cards

Hackers use video player to steal credit cards from over 100 sites

Hackers used a cloud-based video hosting service to perform a supply chain attack on over a hundred real estate sites that injected malicious scripts to steal information entered into website forms.

These scripts are known as skimmers or formjackers and are usually injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on online store checkout pages to steal payment information.

In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds this player, it embeds the malicious script, causing the site to be infected.

In total, Unit42 found over 100 real estate sites compromised by this campaign, showing a highly successful supply chain attack.

Researchers alerted the cloud video platform and helped infected sites clean up their pages, but this campaign is an example of adversaries’ ingenuity and determination.

Hack once, infect hundreds

The cloud video platform involved in the attack allows users to create video players that include custom JavaScript scripts to customize the player.

One such custom video player that is commonly embedded in real estate sites used a static JavaScript file hosted on a remote server.

Unit42 researchers believe that these hackers gained access to the upstream JavaScript file and modified it to include a malicious skimmer script.

During the next player update, the video player began spreading the malicious script to all real estate sites where the player was already embedded, allowing the script to steal sensitive information entered into website forms.

Skimmer code seen in an infected web page
Skimmer code seen in an infected web page
Source: Palo Alto Networks

The code itself is very obscure, so it is unlikely to raise suspicion at first sight or be caught by unsophisticated security products.

After further analysis, Unit42 discovered that the skimmer steals victims’ names, email addresses, phone numbers, and credit card information. This stolen information is then sent back to a server controlled by the attacker, where threat actors can collect it for further attacks.

Its operational process can be summarized in the following three steps:

  • Check if the webpage has finished loading and call the following function.
  • Read the client input information from the HTML document and call a data validation function before saving it.
  • Send collected data to C2 (https://cdn-imgcloud[.]com/img) by creating an HTML tag and populating the image source with the server URL.
Skimmer functions and execution order
Skimmer works from data backup to exfiltration
Source: Palo Alto Networks

Palo Alto Networks has posted a full list of IoCs (Indicators of Compromise) on this GitHub repository.

An elusive threat

This campaign deploys an ever-evolving, polymorphic skimmer that cannot be stopped by traditional domain name and URL blocking methods.

Website administrators who embed JavaScript scripts on their sites should not blindly trust them, even if the source has been proven to be trustworthy.

Instead, administrators are advised to perform regular web content integrity checks and use form hijacking detection solutions.