This article originally appeared in Information Security Buzz on May 14, 2019.
Hackers have injected malicious code into Alpaca forms and Picreel, an analytics service to steal payment information and passwords according to Security researcher Willhelm DeGroot.* DeGroot who discovered the attack believes more than 4,600 websites have been affected.
Supply chain attack of the week: @Picreel_
marketing software got hacked last night, their 1200+ customer sites are now leaking data to an exfil server in Panama.
Victims:
Decoded malware:
gist.github.com/gwillem/866af7
Mike Bittner, Digital Security and Operations Manager at The Media Trust:
“Hackers have realized that third-party code suppliers are soft targets and provide a window to a large number of client companies, high-profile or not. Security vulnerabilities aren’t limited to open source code either—they are widespread across the software industry, which thrives on short product cycles and narrow cost margins that give little priority to security and privacy. This is why supply chain attacks are growing in popularity. These gaps will have to be closed as various states here in the US enforce their own GDPR-inspired consumer data privacy laws. The California Consumer Privacy Act will go into effect beginning in January 2020. Any website owner will need to carefully vet their third-parties and conduct audits to ensure all third parties have adequate security measures in place. These processes will force software providers to build security and privacy testing into the product development lifecycle, and not sweep it under the rug, as providers have for years. If providers continue to operate as they have, they’ll find their cart abandonment rates soar, not to mention their costs after penalties are leveled.”
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:
Picreel provides site owners with the capability to track very detailed visitor interaction, like mouse movement and page scrolling. So it is a more natural choice for sites that deal with financial information or are trying to sell the visitor something. The threat actor can maximize their return by targeting these sites, which are more likely to handle payment information. Among the victimized web sites are a few fairly popular sites around the world, like Correos which is the state owned postal service in Spain, and Gearpatrol.com which is a popular shopping site in the US.
This type of supply chain attack is one level up from the typical site compromise performed by groups like Magecart where a high profile site is infiltrated to insert a malicious javascript and siphon off payment card information. We are unfortunately in the era of cloud native risks associated with SaaS applications. It used to be that you needed to ensure the security of libraries you embed in your application, but with cloud real time delivery, the challenge has morphed into assessing the security posture of the entity providing you with the functionality.