Hackers collect payment and password info from more than 4,600 sites

Stock photo of laptop with code on its screen
Negative Space/Pexels

Two recent supply-chain attacks have allowed hackers to collect the payment info and user passwords of more than 4,600 websites.

According to ZDNet, the supply-chain attacks were spotted by Twitter user and Sanguine Security forensic analyst Willem de Groot and were still considered ongoing as of Sunday, May 12.

The attacks involved the breaching of an analytics service known as Picreel and an open-source project called Alpaca Forms. Essentially, the hackers responsible for the attack altered the JavaScript files of each company in order to “embed malicious code on over 4,600 websites.” Once embedded, the malicious code then collected the information given by website users (payment information, logins, and contact form data) and then submitted the information it collected to a server in Panama.

How the malicious code was able to reach thousands of websites so quickly can be explained by the kinds of companies they attacked in the first place. For example, as ZDNet notes, Picreel’s main service is that it lets “site owners to record what users are doing and how they’re interacting with a website to analyze behavioral patterns and boost conversation rates.” And in order to provide that service, Picreel clients (read: website owners), have to insert a bit of JavaScript code in their own websites. The malicious code was spread by altering that bit of JavaScript code.

Alpaca Forms is basically an open-source project used to build web forms. The project was created by Cloud CMS. Hackers were able to spread their malicious code via Alpaca Forms by breaching a content delivery service network (CDN) used by Alpaca Forms and managed by Cloud CMS. After breaching this CDN, the hackers were then able to alter an Alpaca Form script to spread the malicious code. In an emailed statement to ZDNet, Cloud CMS Chief Technical Officer Michael Uzquiano said that only one Alpaca Form JavaScript file had been altered. In addition, ZDNet also reports that the affected CDN was taken down by Cloud CMS. The content management system company also stated the following: “There has been no security breach or security issue with Cloud CMS, its customers or its products.”

However, as ZDNet notes, that conclusion doesn’t seem to be supported by any proof. Also, the code found in the Alpaca Forms attack has been spotted on 3,435 sites. And the malicious code found in the Picreel attack was reportedly spotted on 1,249 websites so far.

It is currently unclear who the hackers are. However, it was reported by de Groot via Twitter on Monday, May 13 that the malicious code has finally been removed by Picreel and Cloud CMS.


Lawsuit over Capital One data breach could eventually get you sweet revenge

The law firm Colson Hicks Eidson has filed a class-action lawsuit against Capital One “for negligence in failing to safeguard consumers’ personal information” in the recent data breach that impacted 100 million consumers.

Buy less, give more: Amazon will donate products you don’t buy to charity

Amazon will now donate unsold and returned products to charities with a new initiative the company is calling Fulfillment by Amazon (FBA) Donations. Sellers can use the FBA program to donate eligible products starting in September.
Small Business

The 15 best tech jobs boast top salaries, high satisfaction, lots of openings

The bonanza of tech jobs just keeps coming. High-paying tech jobs abound at companies where people love to work. If you’re ready to make a change, this is a great time to look for something more fulfilling.   

Windows 10 has two critical vulnerabilities; update now to avoid infection

Microsoft recently alerted users that it patched two critical remote code execution (RCE) "wormable" vulnerabilities, which could have allowed hackers to spread malware to PCs. If you haven't updated Windows 10 yet, get on it.

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement or an unwanted trip to your local repair shop.

Keep your laptop battery in tip-top condition with these handy tips

Learn how to care for your laptop's battery, how it works, and what you can do to make sure yours last for years and retains its charge. Check out our handy guide for valuable tips, no matter what type of laptop you have.

Now’s your chance to get the latest iPad Pro for $100 less on Amazon

The latest iPad Pro has always been our favorite since its release last year, and we even tagged it as the best tablet ever. Don’t miss out on Amazon’s discount on the 12-inch 256GB Wi-Fi model and get yours today for $1,049.

From Chromebooks to MacBooks, here are the best laptop deals for August 2019

Whether you need a new laptop for school or work, we have you covered. We've put together a list of the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.

Amazon cuts $52 off this Samsung Galaxy 10.1-inch tablet for the whole family

Normally priced at $330, you can grab the Samsung Galaxy Tab A 10.1-inch 128GB Wi-Fi tablet now for only $278 and enjoy $52 savings. On top of that, Amazon is offering an extra $28 discount when you apply for a coupon during checkout.

Tired of choosing between Windows and Mac? Check out these Chromebooks instead

We've compiled a list of the best Chromebooks -- laptops that combine great battery life, comfortable keyboards, and the performance it takes to run Google's lightweight Chrome OS. From Samsung to Acer, these are the Chromebooks that really…

Tired of your Mac freezing? Try these tips to fix your Mac

A Mac that keeps freezing can be an incredibly annoying thing to deal with, but fixing it doesn’t have to be a pain. There are six main things you should try, which we got through in this guide to help you fix the issue once and for all.

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.

1.5% of Chrome users’ passwords are known to be compromised, according to Google

In February, a new feature was introduced to the Google Chrome browser which checks whether users' passwords are secure. Now, Google has released eye-opening stats gathered from Password Checkup.

Latest Windows 10 update is causing random reboots and can break Visual Basic

The latest update for Windows 10, made available on Tuesday this week, includes patches against two critical vulnerabilities. But it is causing a string of issues including random reboots and failure to install.