Hackers have injected malicious code into Alpaca forms and Picreel, an analytics service to steal payment information and passwords according to Security researcher Willhelm DeGroot.* DeGroot who discovered the attack believes more than 4,600 websites have been affected.
Supply chain attack of the week: @Picreel_ marketing software got hacked last night, their 1200+ customer sites are now leaking data to an exfil server in Panama.
Mike Bittner, Digital Security and Operations Manager at The Media Trust:
“Hackers have realized that third-party code suppliers are soft targets and provide a window to a large number of client companies, high-profile or not. Security vulnerabilities aren’t limited to open source code either—they are widespread across the software industry, which thrives on short product cycles and narrow cost margins that give little priority to security and privacy. This is why supply chain attacks are growing in popularity. These gaps will have to be closed as various states here in the US enforce their own GDPR-inspired consumer data privacy laws. The California Consumer Privacy Act will go into effect beginning in January 2020. Any website owner will need to carefully vet their third-parties and conduct audits to ensure all third parties have adequate security measures in place. These processes will force software providers to build security and privacy testing into the product development lifecycle, and not sweep it under the rug, as providers have for years. If providers continue to operate as they have, they’ll find their cart abandonment rates soar, not to mention their costs after penalties are leveled.”
Picreel provides site owners with the capability to track very detailed visitor interaction, like mouse movement and page scrolling. So it is a more natural choice for sites that deal with financial information or are trying to sell the visitor something. The threat actor can maximize their return by targeting these sites, which are more likely to handle payment information. Among the victimized web sites are a few fairly popular sites around the world, like Correos which is the state owned postal service in Spain, and Gearpatrol.com which is a popular shopping site in the US.
This type of supply chain attack is one level up from the typical site compromise performed by groups like Magecart where a high profile site is infiltrated to insert a malicious javascript and siphon off payment card information. We are unfortunately in the era of cloud native risks associated with SaaS applications. It used to be that you needed to ensure the security of libraries you embed in your application, but with cloud real time delivery, the challenge has morphed into assessing the security posture of the entity providing you with the functionality.
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.