The campaign was an opportunistic supply-chain attack abusing a weaponized cloud video player.
A supply-chain campaign infecting Sotheby’s real-estate websites with data-stealing skimmers was recently observed being distributed via a cloud-video platform.
According to Palo Alto Networks’ Unit 42 division, researchers noticed that most of the activity affected real-estate-related sites. At least 100 of them were successfully infected (the full list of affected websites can be found here). Upon closer inspection, all of the compromised sites belonged to one parent company (Sotheby’s), which imported the same video player, infested with malicious scripts, from the cloud video platform.
Many of the compromised sites (all of which were cleaned) were for specific properties for sale and are now defunct, but a look at some of the still-running sites show heavy use of the Brightcove video player to showcase properties. However, the abused player in the campaign is unnamed in the post; Threatpost has reached out to Unit 42 for details.