Data Skimmer Hits 100+ Sotheby’s Real-Estate Websites

The campaign was an opportunistic supply-chain attack abusing a weaponized cloud video player.

A supply-chain campaign infecting Sotheby’s real-estate websites with data-stealing skimmers was recently observed being distributed via a cloud-video platform.

According to Palo Alto Networks’ Unit 42 division, researchers noticed that most of the activity affected real-estate-related sites. At least 100 of them were successfully infected (the full list of affected websites can be found here). Upon closer inspection, all of the compromised sites belonged to one parent company (Sotheby’s), which imported the same video player, infested with malicious scripts, from the cloud video platform.

Many of the compromised sites (all of which were cleaned) were for specific properties for sale and are now defunct, but a look at some of the still-running sites show heavy use of the Brightcove video player to showcase properties. However, the abused player in the campaign is unnamed in the post; Threatpost has reached out to Unit 42 for details.

“In skimmer attacks, cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information,” researchers explained in a Monday posting. “In the case of

Read More: