Threat actors have breached the Brightcove account of Sotheby’s and deployed code capable of stealing and collecting payment card details on more than 100 websites operated by Sotheby’s real estate division.
The attack was carried out via the Brightcove video player, which Sotheby’s was using to show previews of expensive real estate properties it was selling on its websites.
Attackers gained access to this account, which allowed them to append additional code to Sotheby’s custom Brightcove video player, code that was designed to hijack web forms and insert a keylogger.
The incident took place last year but was only disclosed on Monday in a report from security firm Palo Alto Networks.
While the report does not name either of the two companies, Palo Alto Networks shared a list of domains where the malicious code was deployed, which indirectly identified Sotheby’s as the real estate company.
Following additional inquiries from The Record earlier today, the Malwarebytes Threat Intelligence team was also able to identify the “cloud video platform” from the Palo Alto Networks report as Brightcove—based on code samples shared in the report and similar malicious code uploaded on VirusTotal since at least January 2021.
A script uploaded to VirusTotal in July 2021 appears to be related to the cloud video service skimmer attack reported by Palo Alto Networks.
— Malwarebytes Threat Intelligence (@MBThreatIntel) January 4, 2022
Full script (w/ skimmer): https://t.co/dLSE0AIibK#Magecart pic.twitter.com/TWZsrThyFm
While Sotheby’s has not responded to a request for comment on the incident, Palo Alto Networks said the incident was resolved last year.
This would mark the second time that Sotheby’s would fall victim to a card skimmer attack, also known as a Magecart attack, after suffering a similar incident in October 2018.
However, according to the Malwarebytes team, this attack doesn’t seem as bad as the first since most of the impacted sites only included a contact form and did not come with forms for making online payments.
Malwarebytes and other security researchers queried today by The Record are currently looking into this threat actor and the possibility that they might have breached other Brightcove customer accounts to attack other websites, including ones with actual e-commerce capabilities where payment card details are collected on a more frequent basis.
The post Card-stealing code found on more than 100 Sotheby’s luxury real estate sites appeared first on The Record by Recorded Future.
Article Link: Card-stealing code found on more than 100 Sotheby's luxury real estate sites