While running an initial check on https://www.sothebysrealty.com/ that just experienced a supply chain attack on over 100 real estate websites operated by the company, Cyberpion discovered that sothebys.com, the multinational of which Sotheby’s International Realty is a subsidiary, is not adopting the best security policies that should have been implemented from past experience, especially considering their site was infected with digital skimming code back in 2018.
According to Sotheby’s privacy policy, they may share information with Sotheby’s International Realty
Other key findings include:
- Sotheby’s home page (sothebys.com) is accessible over an insecure connection:
- This page also refers to their login page (which is loaded securely), but a manipulation on the main site can affect access to the login page as well
- The main domain is serving Mixed Content – HTTPS content is served over HTTP when accessing the site over HTTP, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers
- There is no Content Security Policy (CSP) that’s now recommended for websites
- When registering for their newsletter via the site.
<p><span id=\"m_-2363950598592364041m_4514026821609486002gmail-docs-internal-guid-0b116108-7fff-1264-aace-c98829591868\">It is clear that Sotheby’s didn’t fully rectify the situation since their initial Magecart attack in 2018. Formjacking a very common and effective technique in supply chain attacks. From our latest research conducted last year, we saw tens of thousands of websites exposed and patterns keep repeating. Often hackers start small by changing something meaningless to learn traffic patterns and observe monitoring tools before choosing the perfect time to strike. Now more than ever, it is critical for companies to continually monitor their supply chains to prevent repeat attacks. In addition, companies need to periodically load their scripts to check if they have been manipulated. They should also inspect to see if scripts are being added to pages and then report or block unintended behaviour.</span></p>