Hackers collect payment and password info from more than 4,600 sites

Stock photo of laptop with code on its screen
Negative Space/Pexels

Two recent supply-chain attacks have allowed hackers to collect the payment info and user passwords of more than 4,600 websites.

According to ZDNet, the supply-chain attacks were spotted by Twitter user and Sanguine Security forensic analyst Willem de Groot and were still considered ongoing as of Sunday, May 12.

The attacks involved the breaching of an analytics service known as Picreel and an open-source project called Alpaca Forms. Essentially, the hackers responsible for the attack altered the JavaScript files of each company in order to “embed malicious code on over 4,600 websites.” Once embedded, the malicious code then collected the information given by website users (payment information, logins, and contact form data) and then submitted the information it collected to a server in Panama.

How the malicious code was able to reach thousands of websites so quickly can be explained by the kinds of companies they attacked in the first place. For example, as ZDNet notes, Picreel’s main service is that it lets “site owners to record what users are doing and how they’re interacting with a website to analyze behavioral patterns and boost conversation rates.” And in order to provide that service, Picreel clients (read: website owners), have to insert a bit of JavaScript code in their own websites. The malicious code was spread by altering that bit of JavaScript code.

Alpaca Forms is basically an open-source project used to build web forms. The project was created by Cloud CMS. Hackers were able to spread their malicious code via Alpaca Forms by breaching a content delivery service network (CDN) used by Alpaca Forms and managed by Cloud CMS. After breaching this CDN, the hackers were then able to alter an Alpaca Form script to spread the malicious code. In an emailed statement to ZDNet, Cloud CMS Chief Technical Officer Michael Uzquiano said that only one Alpaca Form JavaScript file had been altered. In addition, ZDNet also reports that the affected CDN was taken down by Cloud CMS. The content management system company also stated the following: “There has been no security breach or security issue with Cloud CMS, its customers or its products.”

However, as ZDNet notes, that conclusion doesn’t seem to be supported by any proof. Also, the code found in the Alpaca Forms attack has been spotted on 3,435 sites. And the malicious code found in the Picreel attack was reportedly spotted on 1,249 websites so far.

It is currently unclear who the hackers are. However, it was reported by de Groot via Twitter on Monday, May 13 that the malicious code has finally been removed by Picreel and Cloud CMS.


The Surface Centaurus might run Android apps, but is that a good idea?

A new leak hints that Microsoft's rumored Project Centaurus is a dual-screen device that will run Android apps. Is this what Microsoft needs to save its desperately-ignored Windows tablet mode?

Hackers conduct prolonged cyberattack against phone network, says security firm

A security company says a prolonged cyberattack against global phone networks, where hackers have apparently collected data related to phone conversations and even the physical location of the device, has taken place.

Microsoft reportedly thinks Slack not secure enough, prohibits internal use

Microsoft has reportedly placed Slack under the "prohibited" category in an internal list of prohibited and discouraged technology. The main reason why the company banned employees from using it is due to security concerns.

NASA hacked: 500 MB of mission data stolen through a Raspberry Pi computer

NASA's Jet Propulsion Laboratory was hacked last year by an attacker who used a Raspberry Pi computer. The hacker took advantage of the network's weaknesses to steal 500 MB of data, while remaining undetected for 10 months.
Small Business

The 15 best tech jobs boast top salaries, high satisfaction, lots of openings

June may be coming to an end, but the bonanza of tech jobs just keeps coming. High-paying jobs abound at companies where people love to work. If you’re ready to make a change, this is a great time to look for something more fulfilling…

Create apocalyptic A.I. world with this camera app that removes people from pics

What would the shots in your camera roll look like without any people? Bye Bye Camera is a new iOS app that uses artificial intelligence to remove all people from the photo., but it's not designed for practical applications.
Product Review

The 13-inch Acer Swift 3 struggles to find a place in a very crowded market

Acer’s 13-inch version of the Swift 3 clamshell laptop doesn’t offer much to distinguish itself from a very crowded market. It’s not faster, cheaper, better-built, or more attractive than the competition.

A dual-screen device from Microsoft is in the works. Here's what we know so far

Would you be interested in a dual-screen Surface computer? The Surface Centaurus is a Microsoft project working on just that -- and Microsoft already has a prototype. Here's all the important information on Centaurus!

MacOS Catalina is a worthy update but leaves us worried about the Mac's future

The public beta of Apple’s MacOS Catalina is here, and we’ve got our first impressions of Apple’s latest operating system to see if the new features are worth the hype.

All the news, rumors and wishes for Microsoft's Surface Book 3

Want to know more about Microsoft's Surface Book 3? Here's what we know about the third-generation Surface Book, including what's likely to change, when it will be released, and more useful information!

The best travel power adapters for international jet-setters

We recently tried out several of the best travel adapters on our journeys around the globe, and these are our favorite models so far. If you want to keep your gadgets juiced on the go, then snag one of these.

After Lightroom and Photoshop, Loupedeck brings tactile edits to Camera RAW

Loupedeck, the photo-editing keyboard, can now work round-trip for editing a photo in Lightroom, Adobe Camera RAW, and Photoshop. The new Camera RAW integration continues to add to the Loupedeck Plus roster of compatible software.

Pre-Prime Day Deal: Amazon has the best offer on the 13-inch MacBook Pro

Prime Day is less than three weeks away, but we’ve already seen some sweet Apple discounts popping up lately. If you're hungry for a deal before Prime Day, Amazon has the 13.3-inch MacBook Pro on sale right now for a nice $200 discount.
Emerging Tech

A Netflix data scientist taught an A.I. to recognize smooching scenes in movies

A senior data scientist at Netflix has taught an A.I. algorithm to recognize kissing scenes in movies. Here's why it could turn out to be a very useful tool for the future of moviemaking.