The malicious scripts are live and the attack is ongoing. This attack was spotted by Sanguine Security founder Willem de Groot and was confirmed by other security researchers.
Supply chain attack of the week: @Picreel_
marketing software got hacked last night, their 1200+ customer sites are now leaking data to an exfil server in Panama.
— Willem de Groot (@gwillem) May 12, 2019
According to de Groot, the hack appears to have been carried out by the same threat actor. And, it is known how the attackers breached these two companies. The code logs all the information like username, password, etc a user enters into a form and sends the information to a server based in Panama. What’s more threatening is that the data includes checkout/payment pages, contact forms, and login information.
The malicious code in the Picreel website has been witnessed in over 1249 websites while the other hosted on the CMS Cloud was seen over 3400 websites. But, later in the day, it is reported that all the malicious code from the CMS CLoud has been completely removed.
Picreel is a website analytics service that enables site owners to record what users are doing and how they interact with a site to analyze patterns of behavior. While Cloud CMS is a content administration system hosting in the cloud that allows users and businesses to host a website instead of running it on their own servers.
The motivation behind the attackers varies as some groups have hacked third-party companies to deploy crypto jacking scripts. While there are others who have attacked to steal only data entered in payment forms.