Data Skimmer Hits 100+ Sotheby’s Real-Estate Websites

The campaign was an opportunistic supply-chain attack abusing a weaponized Brightcove cloud video player.


A supply-chain campaign infecting Sotheby’s real-estate websites with data-stealing skimmers was recently observed being distributed via a Brightcove cloud-video platform instance.

According to Palo Alto Networks’ Unit 42 division, researchers noticed that most of the activity affected real-estate-related sites. At least 100 of them were successfully infected (the full list of affected websites can be found here). Upon closer inspection, all of the compromised sites belonged to one parent company (Sotheby’s), which imported the same video player, infested with malicious scripts, from Brightcove.

Many of the compromised sites (all of which were cleaned) were for specific properties for sale and are now defunct, but a look at some of the still-running sites show heavy use of video to showcase properties.

Infosec Insiders Newsletter

“In skimmer attacks, cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information,” researchers explained in a Monday posting. “In the case of the attacks described here, the attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well.”

According to Brightcove, the malicious video in question was housed in third-party storage, and Brightcove’s own systems were not compromised.

“A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident,” the company told Threatpost in a statement. “Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts.”

Cloudy Skimmer: An Attack Vector with Promise

An analysis of the skimmer code showed that it harvests information that victims load into contact pages requesting a home showing, including names, emails and phone numbers. It then sends them to a malicious collection server (https://cdn-imgcloud[.]com/img), hosted on a content delivery network. The information could be used for convincing follow-on phishing and other social-engineering attacks.

“The skimmer itself is highly polymorphic, elusive and continuously evolving,” researchers warned. “When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large. For these reasons, attacks like this raise the stakes for security researchers to untangle their sophisticated strategies and trace them to the root cause. We have to invent more sophisticated strategies to detect skimmer campaigns of this type, since merely blocking domain names or URLs used by skimmers is ineffective.”

Abusing a video instance is not difficult, researchers noted. After signing up to use the video creator, any user can add JavaScript customizations by uploading a JavaScript file to be included in the player.

“In this specific instance, the user uploaded a script that could be modified upstream to include malicious content,” according to Unit 42. “We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.”

To protect their websites, website administrators can take steps such as conducting web content integrity checks on a regular basis, to detect and prevent injection of malicious code into the website content, researchers said.

“As these types of attacks continue to evolve in sophistication and cleverness, enterprises need to remain focused on the basics,” Trevor Morgan, product manager at comforte AG, said via email. “Develop a defensive strategy incorporating more than just perimeter-based security, don’t assume that cloud-based services are inherently safe without proper due diligence, and put a priority on emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to the sensitive data that threat actors are after.”

He added, “Tokenizing data as soon as it enters your enterprise workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get ahold of it, either inadvertently or through coordinated attacks like this one, the sensitive information remains obfuscated so that threat actors cannot leverage it for gain.”

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

This story was updated at noon ET on Jan. 5, 2022, to include Brightcove’s statement.


Suggested articles