Hackers collect payment and password info from more than 4,600 sites

Stock photo of laptop with code on its screen
Negative Space/Pexels

Two recent supply-chain attacks have allowed hackers to collect the payment info and user passwords of more than 4,600 websites.

According to ZDNet, the supply-chain attacks were spotted by Twitter user and Sanguine Security forensic analyst Willem de Groot and were still considered ongoing as of Sunday, May 12.

The attacks involved the breaching of an analytics service known as Picreel and an open-source project called Alpaca Forms. Essentially, the hackers responsible for the attack altered the JavaScript files of each company in order to “embed malicious code on over 4,600 websites.” Once embedded, the malicious code then collected the information given by website users (payment information, logins, and contact form data) and then submitted the information it collected to a server in Panama.

How the malicious code was able to reach thousands of websites so quickly can be explained by the kinds of companies they attacked in the first place. For example, as ZDNet notes, Picreel’s main service is that it lets “site owners to record what users are doing and how they’re interacting with a website to analyze behavioral patterns and boost conversation rates.” And in order to provide that service, Picreel clients (read: website owners), have to insert a bit of JavaScript code in their own websites. The malicious code was spread by altering that bit of JavaScript code.

Alpaca Forms is basically an open-source project used to build web forms. The project was created by Cloud CMS. Hackers were able to spread their malicious code via Alpaca Forms by breaching a content delivery service network (CDN) used by Alpaca Forms and managed by Cloud CMS. After breaching this CDN, the hackers were then able to alter an Alpaca Form script to spread the malicious code. In an emailed statement to ZDNet, Cloud CMS Chief Technical Officer Michael Uzquiano said that only one Alpaca Form JavaScript file had been altered. In addition, ZDNet also reports that the affected CDN was taken down by Cloud CMS. The content management system company also stated the following: “There has been no security breach or security issue with Cloud CMS, its customers or its products.”

However, as ZDNet notes, that conclusion doesn’t seem to be supported by any proof. Also, the code found in the Alpaca Forms attack has been spotted on 3,435 sites. And the malicious code found in the Picreel attack was reportedly spotted on 1,249 websites so far.

It is currently unclear who the hackers are. However, it was reported by de Groot via Twitter on Monday, May 13 that the malicious code has finally been removed by Picreel and Cloud CMS.

Computing

Opera GX is a browser for gamers, but the actual gaming is still to come

Every company seems to have a product line or two aimed squarely at gamers, so why not browsers too? Opera has a new branch of its main browser called Opera GX and it's designed specifically with gamers in mind.
Emerging Tech

The Russian hackers behind Triton tried to attack the U.S. power grid

A hacking group linked to the Russian government has been attempting to breach the U.S. power grid. The hackers have been tracked by security experts who warn that the group has been probing the grid for weaknesses.
Small Business

The 15 best tech jobs boast top salaries, high satisfaction, lots of openings

May may be coming to an end, but the bonanza of tech jobs just keeps coming. High-paying jobs abound at companies where people love to work. If you’re ready to make a change, this is a great time to look for something more fulfilling…
Emerging Tech

Uber Eats’ drone delivery service could see Big Macs hit speeds of 70 mph

Uber Eats is testing meal delivery using drones. The company wants to start a commercial delivery service using the drone this summer, but it still needs permission from regulators.
Computing

Monzo will launch its banking app in the U.S., but it may be a hard sell

Monzo, a popular mobile banking app from the U.K., will launch this summer in the United States, but its plan for a slow release and an initially feature-light banking app may be a hard sell for its prospective U.S. customers.
Computing

Apple just registered seven new MacBooks, but what are they? Let’s speculate

When Apple registers new devices, that usually means they’re only weeks away from being released. The company has just registered seven new devices -- but are they Airs, Pros or something else entirely?
Photography

The Loupedeck Plus custom keyboard will make you feel like a pro video editor

With recently added support for Final Cut Pro X, the Loupedeck Plus improves speed and accuracy for video editors. With a collection of customizable buttons and dials, the Loupedeck can almost completely replace a mouse and keyboard setup.
Deals

Amazon cuts prices on Microsoft Surface Pro 6 and Surface Go

The Microsoft Surface series is an excellent alternative to other tablets if you're a dedicated Windows user, and the superb Surface Pro 6 (our favorite 2-in-1) and its cheaper sibling, the Surface Go, are both on sale right now.
Deals

Amazon sale drops deals on Microsoft Surface laptops

Despite an increasingly crowded market, the sleek Microsoft Surface laptops have left their mark. Both the Microsoft Surface Laptop 2 and Surface Book 2 are discounted on Amazon right now, too, with deals that can save you up to $300.
Computing

If you need your laptop to be large, these ones are most in charge

Whether you're in the market for a mobile workstation or a gaming behemoth, there's probably something in the 15-inch form factor that can fit the bill. Here, we've rounded up the best 15-inch laptops available.
Computing

Need more pixels? These 4K laptops have the eye-popping visuals you crave

If you're looking for the best 4K laptops, you need to find one that has powerful internal hardware, and doesn't scrimp on weight and battery life. All of these 4K notebooks are great options, but which one is the right one for you?
Computing

AMD’s Ryzen one-two punch will end with a 64-core Threadripper in 2019

AMD's Threadripper may be set to deliver the killing blow to Intel in Q4 2019, with a rumor suggesting a new Zen 2-based Threadripper line is coming down the pipe with a top chip that has as many as 64 cores.
Photography

What’s the difference between Lightroom CC and Lightroom Classic?

Lightroom CC has evolved into a capable photo editor, but is it enough to supplant Lightroom Classic? We took each program for a test drive to compare the two versions and see which is faster, more powerful, and better organized.
Computing

HP's Spectre x360 is a better 2-in-1 than Microsoft's Surface Laptop 2 is a clamshell

The Microsoft Surface Laptop 2 is a refresh of Microsoft's clamshell option, an oddity given Microsoft's creation of the modern 2-in-1. The HP Spectre x360 13 is, therefore, an interesting comparison.