The same group of hackers compromises the use of malicious codes by Alpaca and Picreel in thousands of sites.
The attack is ongoing and at the time of this article malicious scripts are still live.
Both hacks were identified earlier today and confirmed by Sanguine Security founder Willem de Groot.
Alpaca Forms is a web-building project open-source. It was initially developed eight years ago by the company CMS provider Cloud CMS and open source. Cloud CMS still provides the project with a free CDN service (Content Delivery Network). Hackers seem to have broken this Cloud CMS-managed CDN and changed one of its Alpaca Form scripts.
MALICIOUS CODE LOGS ALL DATA INSIDE FORM FEELDS
It is currently unknown how hackers have violated Picreel or Cloud CMS’s Alpaca Forms CDN. De Groot said that Cybersguards had been hacked in a Twitter conversation by the same threatening actor.
The malicious code logs all users of content into form boxes and sends them to a server in Panama. This includes information that users enter, contact forms and Log-in sections at checkout/payment pages.
Malicious code in the Picreel script was displayed on 1,249 websites, and the Alpaca Forms one in 3,435 domains.
Cloud CMS intervened and removed the CDN which served the Alpaca Form script. The company now investigates the incident and clarifies, “There have been no security or security problems with Cloud CMS, its clients or its products.” There is currently no evidence to suggest this unless Cloud CMS clients themselves use the Alpaca Forms script for their sites.
SUPPLY-CHAIN ATTACKS, A GROWING THREAT OF WEBSITES
Attacks like these have become quite common in the last two years. Known as the supply chain attacks, hacker groups have realized that it is not as easy to break high profile websites, and have begun to target smaller companies providing’ secondary code’ to these sites and thousands of others.
They targeted chat providers, live support widgets, analytics firms and more.
The motivations vary according to the group. For example, certain groups hacked third parties for cryptojacking scripts while others used the same technique to use specialized code that only stolen data entered in payment forms.
The current attack is different because it’s generic and targets every form field on a website for any purpose.