"Supply Chain Web Skimming Attacks Hit Dozens of Sites"

Security researchers at Jscrambler had recently discovered that a web skimming campaign running for the past year has already compromised over 40 e-commerce sites.  The researchers revealed that "Group X," which exfiltrated card data to a server in Russia, used a novel supply-chain technique to compromise its victims.  The researchers noted that the cybercriminals exploited a third-party JavaScript library called Cockpit, a free web marketing and analytics service that was discontinued in December 2014.  The researchers stated that the adversaries acquired the domain name that hosted the library and used it to serve a skimming script via the same URL.  By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce websites.  The researchers noted that it is not uncommon for web owners to fail to remove deprecated libraries like this from their sites, leading to dead links that can be compromised.  The researchers stated that the problem lies with a lack of insight into third-party code and poor security practices.  The researchers argued that most security teams don't have visibility into this third-party code running on their websites.  They don't know if it's behaving as it should or misbehaving, whether accidentally or maliciously.  The researchers noted that this security blind spot can create a false sense of confidence in one's assessment of risk.  The researchers also admitted that some of the compromised sites may have been impacted due to the content management system or website generator service they were using, which automatically injected the third-party script into their pages.  In that scenario, they may have been unable to remove the library from their site due to restricted permissions or lack of knowledge.  Jscrambler also found two other web skimming groups.  One, dubbed "Group Y," used a similar skimmer to Group X but attacked websites directly with the aim of injecting a script into their homepage.  The third, "Group Z," apparently used a slightly modified script and server structure in its attacks.

Infosecurity reports: "Supply Chain Web Skimming Attacks Hit Dozens of Sites"