Hackers are collecting payment details, user passwords from thousands of sites

Servers of at least seven companies compromised to deliver malicious code to thousands of sites.

Hacked code

Hackers have breached the servers of at least seven online service providers to embed malicious code on thousands of websites, security researchers have told ZDNet.

The attack is ongoing, and the malicious scripts are still live, at the time of this article's publishing.

Initial hacks have been spotted by Sanguine Security founder Willem de Groot earlier today and confirmed by several other security researchers.

At first, de Groot spotted the malicious scripts on the servers of Alpaca Forms and Picreel, but RiskIQ researchers also discovered similar scripts on the servers of five other online services, such as AppLixir, RYVIU, OmniKick, eGain, and AdMaxim.

Malicious code logs all data entered inside form fields

Currently, it is unknown how hackers breached these companies. In a Twitter conversation, de Groot told ZDNet the hack appears to have been carried out by the same threat actor.

The malicious code logs all content users enter inside form fields and sends the information to a server located in Panama. This includes data that users enter on checkout/payment pages, contact forms, and login sections.

Cloud CMS, the company which was  providing free CDN hosting for the compromised Alpaca Forms script, has intervened to take down the entire CDN serving the tainted Alpaca Forms script. The company is now investigating the incident and clarified "there has been no security breach or security issue with Cloud CMS, its customers or its products." Currently, there is no evidence to suggest this, unless Cloud CMS customers used the Alpaca Forms script for their sites on their own.

Picreel was also lucky. RiskIQ says the malicious code added to the company's scripts was bungled and the malicious code never executed. They made the same error when trying to add the malicious code to OmniKick.

eGain was in a similar situation, with the hackers modifying one of the scripts that loaded exclusively on the eGain website, and not the script that was embedded on remote customer sites.

Supply-chain attacks, a growing threat for websites

In the past two years, attacks like these ones have become quite common. Known as supply-chain attacks, hackers groups have realized that breaching high-profile websites isn't as simple as it sounds, and they've started targeting smaller businesses that provide "secondary code" to these websites, and thousands of others.

They targeted providers of chat widgets, live support widgets, analytics companies, and more.

Motivations vary depending on the group. For example, some groups have hacked third-party companies to deploy cryptojacking scripts, while others have used the same technique to deploy specialized code that steals only data entered in payment forms.

Today's attack is different because it is quite generic, targeting every form field on a website, regardless of purpose.

Article updated on May 31 with the results of the RiskIQ investigation. An initial version of this article only listed Alpaca Forms and Picreel as impacted services.

More data breach coverage: