Malware

A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain

Clock Icon 10 min read

This post is also available in: 日本語 (Japanese)

Executive Summary

Supply chain networks are frequent targets for cybercrime, as controlling a weak link in the supply chain can grant cybercriminals access to more victims – especially when the weak link is the source of the supply chain. Recently, we found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka formjacking) campaigns. In skimmer attacks, cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information. In the case of the attacks described here, the attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well.

With Palo Alto Networks proactive monitoring and detection services, we detected over 100 real estate sites that were compromised by the same skimmer attack. The skimmer attack has grown in popularity with attackers since we published our previous blog posts, “Anatomy of Formjacking Attacks” and “Data Analysis: A Closer Look at the Web Skimmer.” After analysis of the sites we identified, we found that all the compromised sites belong to one parent company. All these compromised sites are importing the same video (accompanied by malicious scripts) from a cloud video platform.

We worked with the cloud video platform and the real estate company to help them remove the malware prior to publication. We're publishing this piece to alert organizations and web surfers of the potential for supply chain attacks to infect legitimate websites without the knowledge of those organizations. In this blog, we will take a step-by-step look at how this attack is deployed and how the skimmer steals victims’ sensitive information.

Palo Alto Networks customers are protected from this type of attack via the WildFire and URL Filtering subscription services for the Next-Generation Firewall.

Types of Attacks and Vulnerabilities Covered Skimmer attacks, formjacking
Related Unit 42 Topics Information stealing

Table of Contents

Skimmer Detection
Skimmer Code Analysis
Malicious Code in Video
Conclusion
Indicators of Compromise

Skimmer Detection

With Palo Alto Networks proactive monitoring and detection services, we are able to capture websites compromised by the skimmer attack discussed here. These websites are listed in the indicators of compromise (IoCs) section below.

Let’s take one website as an example (see Figure 1). It provides a form that visitors can use to request more information about a house for sale, and it includes fields where the user is asked to provide personal information.

"One website provides a form that visitors can use to request more information about a house for sale, and it includes fields where the user is asked to provide personal information.
Figure 1. Asking for a potential victim’s sensitive information.

When trying to access this page, our detection service is able to detect a skimmer attack in an iframe URL:

When accessing the page shown in Figure 1, our detection service is able to detect a web skimmer attack in an iframe URL, as shown here.
Figure 2. Malicious code resides in this HTML page.

Skimmer Code Analysis

To better understand how this skimmer operates, we do a deep dive into the sample codes. Let’s start with the JavaScript code extracted from the compromised sites:

From the code, we know next to nothing about what the attack is attempting to do as it is highly obfuscated. Let’s try to beautify it and split it into four parts to get a better understanding of it:

Skimmer Code Part One

The code in part one is used to decrypt the string array – u; the decryption function is l.

After decryption, we can get a plain text array as shown below. For example, l (0x1) is the string test.

Skimmer Code Part Two

Part two defines three functions:

  1. Function c is used to replace the string with a regex pattern.
  2. Function d is used to verify whether a string matches a credit card pattern. We can see it uses four regex patterns.
  3. Function f is used to verify credit card numbers with the Luhn algorithm.

Skimmer Code Part Three

Part three is an anti-debug code. With decryption, it looks as below:

Basically, it checks if window.Firebug, window.Firebug.chrome and window.Firebug.chrome.isInitialized variables exist. It also sends a devtoolschange message to check whether the Chrome console is opened.

Skimmer Code Part Four

After decryption, the code samples are very clear. Let’s see what these code snippets do.

The code below defines the hashCode function, which is used to encrypt credit card content.

Code Analysis

The following code defines Gate and Data variables. The Data variable saves credit card information, and the Gate variable saves the C2 server.

The code samples below reveal how the skimmer steals credit card information and sends it out. We have broken the process down into the following steps:

1. First, it uses onreadystatechange to check whether the page load is done. It then calls the TrySend function.

2. The TrySend function calls the SaveAllFields function to read the customer input information, such as name and email address, from the HTML document, and then calls SaveParam to check if the data is valid. If valid, it will save this information into the Data variable.

3. Next, the TrySend function will call the SendData function to send the data. The SendData function will then call the LoadImage function to create an <img> HTML tag and fill the image source with a C2 URL.

Malicious Code in Video

How does the attacker inject the malicious code into the player of the cloud video platform? Let's take a look. When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.

We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.

From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal:

VirusTotal results for the collection server where the web skimmer discussed here sends sensitive information gathered from victims.
Figure 3. VirusTotal result for the collection server.

Conclusion

In this skimmer campaign, we traced the malicious activity from the skimmer scripts to the source of the cloud video platform. We also did a deep dive into the code snippets collected from the skimmer campaign.

The skimmer itself is highly polymorphic, elusive and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large. For these reasons, attacks like this raise the stakes for security researchers to untangle their sophisticated strategies and trace them to the root cause. We have to invent more sophisticated strategies to detect skimmer campaigns of this type, since merely blocking domain names or URLs used by skimmers is ineffective.

For website administrators, it is advisable to safeguard any accounts, avoid theft by phishing or social engineering, and manage permissions well. Also, we highly recommend conducting web content integrity checks on a regular basis. This can help detect and prevent injection of malicious code into the website content.

Palo Alto Networks customers are protected from skimmer (aka formjacking) attacks via the WildFire and URL Filtering subscription services for the Next-Generation Firewall.

Indicators of Compromise

Indicators of compromise for the web skimmer attacks discussed here can be found on GitHub.

Enlarged Image