User Passwords from 4,600 Sites Breached
TEHRAN (Tasnim) - Hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites.
The attack is ongoing, and the malicious scripts are still live, at the time of this article's publishing, security researchers have told ZDNet.
Both hacks have been spotted by Sanguine Security founder Willem de Groot earlier today and confirmed by several other security researchers.
Picreel is an analytics service that allows site owners to record what users are doing and how they're interacting with a website to analyze behavioral patterns and boost conversation rates. Picreel customers --website owners-- are supposed to embed a piece of JavaScript code on their sites to allow Picreel to do its job. It's this script that hackers have compromised to add malicious code.
Alpaca Forms is an open-source project for building web forms. It was initially developed by the enterprise CMS provider Cloud CMS and open-sourced eight years ago. Cloud CMS still provides a free CDN (content delivery network) service for the project. Hackers appear to have breached this Cloud CMS-managed CDN and modified one of the Alpaca Form scripts.
ZDNet has reached out to both companies for comment. In an email, Cloud CMS CTO Michael Uzquiano told ZDNet that hackers appeared to have compromised only one Alpaca Forms JavaScript file on its CDN, and nothing else.
MALICIOUS CODE LOGS ALL DATA ENTERED INSIDE FORM FIELDS
Currently, it is unknown how hackers breached Picreel or the Cloud CMS's Alpaca Forms CDN. In a Twitter conversation, de Groot told ZDNet the hack appears to have been carried out by the same threat actor.
The malicious code logs all content users enter inside form fields and sends the information to a server located in Panama. This includes data that users enter on checkout/payment pages, contact forms, and login sections.
The malicious code embedded in the Picreel script has been seen on 1,249 websites, while the Alpaca Forms one has been seen on 3,435 domains.
Cloud CMS has intervened and taken down the CDN that was serving the tainted Alpaca Forms script. The company is now investigating the incident and clarified "there has been no security breach or security issue with Cloud CMS, its customers or its products." Currently, there is no evidence to suggest this, unless Cloud CMS customers used the Alpaca Forms script for their sites on their own.
SUPPLY-CHAIN ATTACKS, A GROWING THREAT FOR WEBSITES
In the past two years, attacks like these ones have become quite common. Known as supply-chain attacks, hackers groups have realized that breaching high-profile websites isn't as simple as it sounds, and they've started targeting smaller businesses that provide "secondary code" to these websites, and thousand others.
They targeted providers of chat widgets, live support widgets, analytics companies, and more.
Motivations vary depending on the group. For example, some groups have hacked third-party companies to deploy cryptojacking scripts, while others have used the same technique to deploy specialized code that steals only data entered in payment forms.
Today's attack is different because it is quite generic, targeting every form field on a website, regardless of purpose.