Data Skimmer Hits 100+ Sotheby’s Real-Estate Websites

A supply-chain campaign infecting Sotheby’s real-estate websites with data-stealing skimmers was recently observed being distributed via a cloud-video platform.

According to Palo Alto Networks’ Unit 42 division, researchers noticed that most of the activity affected real-estate-related sites. At least 100 of them were successfully infected (the full list of affected websites can be found here). Upon closer inspection, all of the compromised sites belonged to one parent company (Sotheby’s), which imported the same video player, infested with malicious scripts, from the cloud video platform.

Many of the compromised sites (all of which were cleaned) were for specific properties for sale and are now defunct, but a look at some of the still-running sites show heavy use of the Brightcove video player to showcase properties. However, the abused player in the campaign is unnamed in the post; Threatpost has reached out to Unit 42 for details.

“In skimmer attacks, cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information,” researchers explained in a Monday posting. “In the case of the attacks described here, the attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well.”

An analysis of the skimmer code showed that it harvests information that victims load into contact pages requesting a home showing, including names, emails and phone numbers. It then sends them to a malicious collection server (https://cdn-imgcloud[.]com/img), hosted on a content delivery network. The information could be used for convincing follow-on phishing and other social-engineering attacks.

“The skimmer itself is highly polymorphic, elusive and continuously evolving,” researchers warned. “When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large. For these reasons, attacks like this raise the stakes for security researchers to untangle their sophisticated strategies and trace them to the root cause. We have to invent more sophisticated strategies to detect skimmer campaigns of this type, since merely blocking domain names or URLs used by skimmers is ineffective.”

Abusing the cloud platform is not difficult, researchers noted. After signing up to use the video creator, any user can add JavaScript customizations by uploading a JavaScript file to be included in the player.

“In this specific instance, the user uploaded a script that could be modified upstream to include malicious content,” according to Unit 42. “We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.”

To protect their websites, website administrators can take steps such as conducting web content integrity checks on a regular basis, to detect and prevent injection of malicious code into the website content, researchers said.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.