An unknown cloud video platform was used to inject web skimmer code into over 100 real estate websites owned by the same parent company. Skimmer attacks, which are becoming more common, entail the use of malicious JavaScript code to steal data provided by users on the targeted website. According to Palo Alto Networks, as part of this current attack, skimmer code was injected into a video such that it was automatically integrated into websites that imported the video.
Palo Alto Networks, Inc. is a multinational cybersecurity company based in Santa Clara, California. Its key products are a platform with powerful firewalls and cloud-based services that expand those firewalls to encompass other elements of security. Over 70,000 enterprises in over 150 countries, including 85 of the Fortune 100, rely on the company's services.
Because the misused cloud video platform allows users to add their own JavaScript customizations to players by uploading a JavaScript file that is incorporated in the player, the attack was conceivable. Taking advantage of this feature, the threat actors offered a script that could be modified upstream, allowing them to add harmful content after the player was created.
To gain a better grasp of the code, researchers divided it into four sections. Part one's code is used to decode the string array – u, and the decryption function is 1. Researchers obtained a plain text array after decryption. Part two defines three functions: function c replaces a string with a regex pattern, function d checks whether a string matches a credit card pattern. It was discovered by researchers using four regex patterns. And function f is used to check credit card numbers using the Luhn algorithm.
Part three consists of anti-debug code. It just checks to see if the variables window.Firebug, window.Firebug.chrome, and window.Firebug.chrome.isInitialized exist. In addition, it sends a devtoolschange message to see if the Chrome console is open. After decryption, the code samples become quite evident in part four.
“We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” Palo Alto Networks notes. The JavaScript code was designed to identify credit card patterns, verify credit card numbers, collect card data, and transfer it to the attackers. It was highly obfuscated to mask its nefarious purpose.