We’ve seen many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others.

In today’s case, the targeted websites all reside on the same server and sell video content from various conferences and conventions. The host control panel belongs to Playback Now, a company that provides its customers with an array of services to capture and deliver recorded material into an online conference experience.

Criminals decided to impersonate Playback Now by registering a malicious domain lexically close to their official website that could be used to discreetly serve a credit card skimmer as well as collect stolen data.

Their next move was to inject a malicious reference to this skimmer code into dozens of Magento sites hosted on the same IP address belonging to Playback Now. As a result, the financial details from customers shopping for conference material are now at risk.

Online conference sites compromised with Inter skimming kit

Playback Now provides organizations with an easy way to seamlessly convert an event into an online virtual experience. Conferences and seminars can be delivered via live streaming, on demand, or a hybrid of the two.

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Figure 1: Legitimate PlayBack Now website

Businesses or organizations that want to join the experience can get a dedicated website from where they will serve and promote their content. Take the following website built for the Association of Healthcare Internal auditors.

Once users have registered and purchased one of the packages, they can access recorded sessions online or save them onto a flash drive.

Figure 2: A Playback Now customer site that has been compromised

A closer look at the website’s source code reveals an external reference to a JavaScript file. It would be easy to overlook, thinking it is served from the legitimate Playback Now website (playbacknow.com), but there is an extra ‘s’ in that domain name (playbacknows[.]com) that gives it away.

That domain was registered only a couple of weeks ago and its home page is void of any content.

Domain name: playbacknows.com
Creation Date: 2020-09-21T20:22:10.00Z
Registrar: NAMECHEAP INC
Registrant Name: WhoisGuard Protected
Registrant Street: P.O. Box 0823-03411 
Registrant City: Panama

In total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).

This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit.

Figure 3: Checkout page where skimmer will steal credit card data

When someone purchases a course or conference recording, their personal and credit card data will be leaked to criminals via the same malicious domain housing the skimmer.

Breach possibly related to Magento 1.x exploit

All affected Playback Now customer sites are running on the same IP address at 209.126.18.3. Using VirusTotal Graph we can see an interesting connection with a piece of malware we previously documented.

Figure 4: VirusTotal graph showing a connection between malware and hosting server

This GoLang sample attempts to bruteforce access into a variety of Content Management Systems. If successful, attackers could use the gained credentials to inject malicious code into e-commerce sites.

This connection was interesting but lost some value when we looked at the submission date for this sample to VirusTotal. It’s quite likely that the server was pinged just like many others, but it’s unclear whether it would have resulted in a breach, even at a later date.

Based on an analysis of the compromised Playback Now related sites, we found they were running a vulnerable version of the Magento CMS, namely version 1.x. Following the release of an exploitation tool, a wave of attacks was recently observed, compromising over two thousand sites.

Given the timeline, this incident could have been leveraging the same exploit and be carried out by the same or perhaps a different group.

The official website playbacknow.com is hosted on 209.126.18.3 as well, but it does not appear to be compromised. One thing to note though is that it is running a different CMS, namely WordPress version 5.4.

We contacted Playback Now to report this breach. In the meantime, Malwarebytes Browser Guard detects and blocks the fraudulent skimmer domain.

Figure 5: Malwarebytes Browser Guard blocking this attack

Indicators of Compromise (IOCs)

Skimmer

playbacknows[.]com/playback/index.js

Compromised sites

WebsiteOrganization
playbacknar[.]comNational Association of Realtors
naraei[.]playbacknow[.]comNational Association of Realtors
nais[.]playbacknow[.]comNational Association of Independent Schools
nasmm[.]playbacknow[.]comNational Association of Senior Move Managers
tripleplay[.]playbacknow[.]comTriple Play
digitaldealer[.]playbacknow[.]comDigital Dealer
playbackaaj[.]comAmerican Association for Justice
playbackacp[.]comAmerican College of Physicians
playbacksmilesource[.]comSmile Source
playbackc21[.]comCentury 21 University
playbackada[.]comAmerican Diabetes Association
playbacknailba[.]comNAILBA
playbackswana[.]comSWANA
playbacknaspa[.]comNASPA
playbackaupresses[.]comAssociation of University Presses
playbacknacba[.]comNACBA
playbackaca[.]comACA International
playbacknala[.]comNALA Paralegal Association
playbacknatp[.]comNational Association of Tax Professionals
iplayback[.]com
playbackcore[.]com
playbackndsc[.]comNational Down Syndrome Congress
playbackaata[.]comAmerican Art Therapy Association
playbacksnrs[.]comSouthern Nursing Research Society
playbackssp[.]comSociety for Scholarly Publishing
playbackcaregiving[.]comCaregiving
playbackcas[.]comCasualty Actuarial Society
playbackmpc[.]comMidwest Podiatry Conference
playbackhinman[.]comHinman Dental
playbacknetworker[.]comPsychotherapy Networker
playbacknara[.]comNational Association for Regulatory Administration
aspcvirtualsummit[.]orgAmerican Society for Preventive Cardiology
playbackfgs[.]comNational Genealogy Society
playbackifa[.]comInternational Franchise Association
playbackashe[.]comAssociation for the Study of Higher Education
playbackippfa[.]comIPPFA
playbackahri[.]comAir Conditioning Heating Refrigeration Institute
playbackaonl[.]comAmerican Organization for Nursing Leadership
playbackngs[.]comNational Genealogy Society
playbackrlc[.]comRestaurant Law Center
playbackahia[.]comAssociation of Healthcare Internal Auditors
playbacknacac[.]comNational Association for College Admission Counseling

Server hosting compromised sites

209.126.18.3