Attackers Grabbing Payment Info From 4600 Sites

By   ISBuzz Team
Writer , Information Security Buzz | May 14, 2019 11:43 am PST

Hackers have injected malicious code into Alpaca forms and Picreel, an analytics service to steal payment information and passwords according to Security researcher Willhelm DeGroot.* DeGroot who discovered the attack believes more than 4,600 websites have been affected. 

Mike Bittner, Digital Security and Operations Manager at The Media Trust:  

“Hackers have realized that third-party code suppliers are soft targets and provide a window to a large number of client companies, high-profile or not.  Security vulnerabilities aren’t limited to open source code either—they are widespread across the software industry, which thrives on short product cycles and narrow cost margins that give little priority to security and privacy. This is why supply chain attacks are growing in popularity. These gaps will have to be closed as various states here in the US enforce their own GDPR-inspired consumer data privacy laws. The California Consumer Privacy Act will go into effect beginning in January 2020. Any website owner will need to carefully vet their third-parties and conduct audits to ensure all third parties have adequate security measures in place. These processes will force software providers to build security and privacy testing into the product development lifecycle, and not sweep it under the rug, as providers have for years. If providers continue to operate as they have, they’ll find their cart abandonment rates soar, not to mention their costs after penalties are leveled.”  

Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:

Picreel provides site owners with the capability to track very detailed visitor interaction, like mouse movement and page scrolling. So it is a more natural choice for sites that deal with financial information or are trying to sell the visitor something. The threat actor can maximize their return by targeting these sites, which are more likely to handle payment information. Among the victimized web sites are a few fairly popular sites around the world, like Correos which is the state owned postal service in Spain, and which is a popular shopping site in the US. 

This type of supply chain attack is one level up from the typical site compromise performed by groups like Magecart where a high profile site is infiltrated to insert a malicious javascript and siphon off payment card information. We are unfortunately in the era of cloud native risks associated with SaaS applications. It used to be that you needed to ensure the security of libraries you embed in your application, but with cloud real time delivery, the challenge has morphed into assessing the security posture of the entity providing you with the functionality.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x