Threat actors used a cloud video hosting service to carry out a supply chain attack on more than 100 Sotheby’s Realty real estate websites, which included injecting malicious skimmers to steal sensitive personal information.
According to MalwareBytes, the campaign began as early as January 2021, with the harvested information — names, emails, phone numbers, and credit card data — exfiltrated to a remote server “cdn-imgcloud[.]com,” which also served as a collection domain for a Magecart attack targeting Amazon CloudFront CDN in June 2019.
“By attaching skimmer code to the static script at its hosted location, the attacker modified it. The video platform re-ingested the compromised file and served it alongside the impacted player after the next player update .”
Finally the researchers concluded that ,”To detect and prevent malicious code injection into online sites, it is recommended to perform web content integrity checks on a regular basis, as well as protect accounts from takeover attempts and keep an eye out for potential social engineering schemes. The skimmer is highly polymorphic, elusive, and constantly evolving. When combined with cloud distribution platforms, a skimmer of this type could have a significant impact.”