We’ve seen many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others.

In today’s case, the targeted websites all reside on the same server and sell video content from various conferences and conventions. The host control panel belongs to Playback Now, a company that provides its customers with an array of services to capture and deliver recorded material into an online conference experience.

Criminals decided to impersonate Playback Now by registering a malicious domain lexically close to their official website that could be used to discreetly serve a credit card skimmer as well as collect stolen data.

Their next move was to inject a malicious reference to this skimmer code into dozens of Magento sites hosted on the same IP address belonging to Playback Now. As a result, the financial details from customers shopping for conference material are now at risk.

Online conference sites compromised with Inter skimming kit

Playback Now provides organizations with an easy way to seamlessly convert an event into an online virtual experience. Conferences and seminars can be delivered via live streaming, on-demand, or a hybrid of the two.

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Figure 1: Legitimate PlayBack Now website

Businesses or organizations that want to join the experience can get a dedicated website from where they will serve and promote their content. Take the following website built for the Association of Healthcare Internal auditors.

Once users have registered and purchased one of the packages, they can access recorded sessions online or save them onto a flash drive.

Figure 2: A Playback Now customer site that has been compromised

A closer look at the website’s source code reveals an external reference to a JavaScript file. It would be easy to overlook, thinking it is served from the legitimate Playback Now website (playbacknow.com), but there is an extra ‘s’ in that domain name (playbacknows[.]com) that gives it away.

That domain was registered only a couple of weeks ago and its home page is void of any content.

Domain name: playbacknows.com
Creation Date: 2020-09-21T20:22:10.00Z
Registrar: NAMECHEAP INC
Registrant Name: WhoisGuard Protected
Registrant Street: P.O. Box 0823-03411 
Registrant City: Panama

In total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).

This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit.

Figure 3: Checkout page where skimmer will steal credit card data

When someone purchases a course or conference recording, their personal and credit card data will be leaked to criminals via the same malicious domain housing the skimmer.

Breach possibly related to Magento 1.x exploit

All affected Playback Now customer sites are running on the same IP address at 209.126.18.3. Using VirusTotal Graph we can see an interesting connection with a piece of malware we previously documented.

Figure 4: VirusTotal graph showing a connection between malware and hosting server

This GoLang sample attempts to bruteforce access into a variety of Content Management Systems. If successful, attackers could use the gained credentials to inject malicious code into e-commerce sites.

This connection was interesting but lost some value when we looked at the submission date for this sample to VirusTotal. It’s quite likely that the server was pinged just like many others, but it’s unclear whether it would have resulted in a breach, even at a later date.

Based on an analysis of the compromised Playback Now related sites, we found they were running a vulnerable version of the Magento CMS, namely version 1.x. Following the release of an exploitation tool, a wave of attacks was recently observed, compromising over two thousand sites.

Given the timeline, this incident could have been leveraging the same exploit and be carried out by the same or perhaps a different group.

The official website playbacknow.com is hosted on 209.126.18.3 as well, but it does not appear to be compromised. One thing to note though is that it is running a different CMS, namely WordPress version 5.4.

We contacted Playback Now to report this breach. In the meantime, Malwarebytes Browser Guard detects and blocks the fraudulent skimmer domain.

Figure 5: Malwarebytes Browser Guard blocking this attack

Indicators of Compromise (IOCs)

Skimmer

playbacknows[.]com/playback/index.js

Compromised sites

Website Organization
playbacknar[.]com National Association of Realtors
naraei[.]playbacknow[.]com National Association of Realtors
nais[.]playbacknow[.]com National Association of Independent Schools
nasmm[.]playbacknow[.]com National Association of Senior Move Managers
tripleplay[.]playbacknow[.]com Triple Play
digitaldealer[.]playbacknow[.]com Digital Dealer
playbackaaj[.]com American Association for Justice
playbackacp[.]com American College of Physicians
playbacksmilesource[.]com Smile Source
playbackc21[.]com Century 21 University
playbackada[.]com American Diabetes Association
playbacknailba[.]com NAILBA
playbackswana[.]com SWANA
playbacknaspa[.]com NASPA
playbackaupresses[.]com Association of University Presses
playbacknacba[.]com NACBA
playbackaca[.]com ACA International
playbacknala[.]com NALA Paralegal Association
playbacknatp[.]com National Association of Tax Professionals
iplayback[.]com
playbackcore[.]com
playbackndsc[.]com National Down Syndrome Congress
playbackaata[.]com American Art Therapy Association
playbacksnrs[.]com Southern Nursing Research Society
playbackssp[.]com Society for Scholarly Publishing
playbackcaregiving[.]com Caregiving
playbackcas[.]com Casualty Actuarial Society
playbackmpc[.]com Midwest Podiatry Conference
playbackhinman[.]com Hinman Dental
playbacknetworker[.]com Psychotherapy Networker
playbacknara[.]com National Association for Regulatory Administration
aspcvirtualsummit[.]org American Society for Preventive Cardiology
playbackfgs[.]com National Genealogy Society
playbackifa[.]com International Franchise Association
playbackashe[.]com Association for the Study of Higher Education
playbackippfa[.]com IPPFA
playbackahri[.]com Air Conditioning Heating Refrigeration Institute
playbackaonl[.]com American Organization for Nursing Leadership
playbackngs[.]com National Genealogy Society
playbackrlc[.]com Restaurant Law Center
playbackahia[.]com Association of Healthcare Internal Auditors
playbacknacac[.]com National Association for College Admission Counseling

Server hosting compromised sites