In a recent information theft incident, the Palo Alto Networks Unit42 security team discovered that hackers were quietly obtaining user credit card information through the cloud video platform. When security personnel discovered this attack, hackers used video players to obtain a large amount of credit card information from more than 100 websites.
The hacker’s approach is to use cloud video hosting services to carry out supply chain attacks on more than a hundred real estate websites and inject malicious scripts to steal website form information.
These scripts are called form hijackers. Hackers inject them into websites to steal sensitive information entered into forms. They are often used to steal information on payment pages in online stores.
The Unit42 security team believes that this is a new type of supply chain attack. The attacker used the cloud video hosting function to inject browser code into the video player. When the website is embedded in the player, malicious scripts will take advantage of the opportunity to infect the website.
In this supply chain attack, the Unit42 security team discovered a total of more than 100 real estate websites affected by this attack, which means that the attack was very successful. So far, they have notified the cloud video platform and helped clean up the infected website.
Use video players to steal information
When the video player is next updated, it will provide malicious scripts to all real estate websites that have embedded the player, allowing the script to steal sensitive information entered into the website forms, including names, email addresses, phone numbers, and credit card information. The stolen information will eventually be sent back to the server controlled by the attacker, and the attacker can use this information to launch the next attack.
In general, there are three main steps in the attack process:
- Check whether the web page is loaded and call the next function;
- Read the customer input information from the HTML document and call the data verification function before saving;
- Send the collected data to C2 (https://cdn-imgcloud[.]com/img) by creating HTML tags and filling the image source with the server URL.