Posted on May 13, 2019 at 4:08 PM
4600 Sites Collecting User Data In Ongoing Attack
Picreel and Alpaca Forms have been breached with modified JavaScript files embedding malicious code in over 4600 websites. This news was brought to light by security researcher Willem De Groot, founder of Sanguine Security, and has been confirmed by other researchers in the information security community with the malicious scripts finally being taken offline 4 hours ago as of the writing of this article.
Picreel is an analytics service that specializes in recording end-user behavior. Their tools allow webmasters to record how consumer interfaces with a website, allowing for the building of behavioral patterns. This is then translated into boosted conversion via more directed content and more intuitive (for the target audience) design. The JavaScript code that webmaster embed in their webpages to track the behavior of consumers has been modified with malicious code.
Alpaca Forms, on the other hand, is an open-source project that allows users to build forms. It was initially built by CloudCMS before being open-sourced over eight years ago with the company still providing a free CDN (Content Delivery Network) service for the project they birthed. In the case of Alpaca, the hackers managed to infiltrate the CloudCMS managed CDN to modify one of the alpaca scripts. It seems that only the one script has been tampered with, with the company saying that nothing else was touched.
Form input data all logged by hackers
It is currently a mystery as to how the hackers managed to infiltrate Picreel and the CloudCMS hosted CDN running Alpaca Forms. ZDNet managed to talk to Willem De Groot via Twitter ad the security researcher told them that the same threat actor was responsible for both attacks. The code inserted into the JavaScript files logs all data entered into the forms, sending them to a server located in Panama. The data is from forms found on Checkout and Payment pages along with contact pages and login sections.
This means that the hackers have access to a wide array of passwords, usernames and credit card details from the two hacks that have resulted in thousands of websites being hacked. The potential data gathered could reach up to millions of users around the world.
CloudCMS acted quickly and even replied to De Groot on Twitter to confirm that they were not attacked through Amazon S3. The company said that it was “origin hacked” and that the hackers had exploited a widely known httpd vulnerability. The company removed the offending JavaScript files and later put them back once they had secured the CDN.
Supply-Chain attacks on the increase
The last two years have seen a noticeable increase in supply-chain attacks, though hackers have realized that the larger companies are not easy targets anymore. That said, there are still exceptions such as the Asus supply-chain slip up that saw its pre-installed updater packed with malicious code that allowed hackers to install whatever payload they deemed necessary.
Hackers have slowly started to focus their attacks on smaller companies that provide scripts and other secondary code to the online equivalent of mom & pop stores. These would be chat widgets, live support scripts, and analytics among other things. Picreel is an example fo the analytics, while Alpaca Forms would be an example of forms being infected. The motivations behind an attack are usually straightforward, as they are mainly financially motivated, though more targetted attacks have been known to install crypto jacking scripts or only stealing data from payment forms.
This attack, on the other hand, was very broad and focused on getting as much information as possible with every single form on the infected websites sending their data to the Panama server. The threat actor behind this latest supply-chain breach has not been identified as of yet, so the exact nature of the attack is still an unknown for the time being.