Tech

Hackers use video player on real estate sites to steal bank cards

Hackers have developed a rather devious ploy to trap Internet users in search of a home. A script in videos broadcast by real estate sites allows them to retrieve personal information, such as the names and email addresses of their victims, but also and above all information linked to their bank card.

Credit Card Flight

When we launch a video embedded in a web page, we do not always pay attention to its origin. Is the footage from YouTube, Dailymotion, the website in question, or another cloud platform? Still, it’s best to be wary: Researchers from Unit42’s security team recently discovered a new type of attack, which injects malicious code into the video player without the knowledge of the site playing a video.

Usually these scripts are used by online payment sites. But this time it’s in a video player of real estate sites, which may seem trivial, that they are doing their dirty work. The video player is infected with a skimming script, a practice of stealing credit card information. Unit42 has thus listed more than 100 sites which use, or have had recourse, to this type of video player.

This video player can easily steal your credit card information

Spotted by security researchers from PaloAlto Networks Unit42, the attack hides in a simple video player, like dozens of them on the Web. One of these video players, very commonly used by real estate sites, uses a JavaScript file stored on a remote server. And this is the file that hackers managed to gain access to. They were able to modify it, in order to inject their own malicious code.

Read also: hackers hijack a Google tool to steal credit card numbers

Therefore, when a site uses the compromised video player, it unknowingly launches the malicious script. Its objective is then to steal the personal data entered in the forms of the site. It thus retrieves the following information:

  • user name
  • his email address
  • his telephone number
  • his credit card information

Once the data is stolen, it is sent to a server controlled by a hacker who can then use it to empty the bank accounts of its victims. As the script uses obscure code to say the least, it is unlikely that it will be detected by conventional analysis tools. As the screenshot below shows, only 7 out of 79 scan tools were able to detect the threat.

Malicious code analysis bank card theft
VirusTotal threat scan result (capture credit: Unit42).

The polymorphic nature of the script makes it more difficult to detect

The researchers immediately notified the various compromised sites, as well as the platform that hosted the malicious script. They did not wish to disclose the name of the compromised platform. Right now it looks like this one has been removed, but Unit42 is sounding the alarm bells.

Because the most worrying remains that this type of attack uses a constantly evolving script. As Unit42 explains, you can’t stop it by simply blocking a domain name or URL. The threat remains very real. “We are publishing this article to alert organizations and Internet users of potential attacks intended to infect legitimate websites without the knowledge of these organizations,” the site’s researchers explain.

Source: PaloAlto Networks

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *