Card-stealing code found on more than 100 Sotheby's luxury real estate sites

Threat actors have deployed code capable of stealing and collecting payment card details on more than 100 websites operated by Sotheby's real estate division.

The incident took place last year but was only disclosed on Monday in a report from security firm Palo Alto Networks.

The attack was carried out after attackers modified some JavaScript files that were served to the affected sites via the Brightcove video player, which Sotheby's was using to show previews of expensive real estate properties it was selling on its websites.

While the report does not name either of the two companies, Palo Alto Networks shared a list of domains where the malicious code was deployed, which indirectly identified Sotheby's as the real estate company.

Following additional inquiries from The Record earlier today, the Malwarebytes Threat Intelligence team was also able to identify the "cloud video platform" from the Palo Alto Networks report as Brightcove—based on code samples shared in the report and similar malicious code uploaded on VirusTotal since at least January 2021.

While Sotheby's has not responded to a request for comment on the incident, Palo Alto Networks said the incident was resolved last year.

This would mark the second time that Sotheby's would fall victim to a card skimmer attack, also known as a Magecart attack, after suffering a similar incident in October 2018.

However, according to the Malwarebytes team, this attack doesn't seem as bad as the first since most of the impacted sites only included a contact form and did not come with forms for making online payments.

Malwarebytes and other security researchers queried today by The Record are currently looking into this threat actor and the possibility that they might have executed similar attacks via other Brightcove customer accounts to attack other websites, including ones with actual e-commerce capabilities where payment card details are collected on a more frequent basis.

Contacted for comment, Brightcove provided the following statement regarding last year's Sotheby's incident:

A Brightcove customer experienced a security issue that originated with videos stored by the customer on a third-party solution, and at no point were other customers, or their end-users, at risk due to this incident. Brightcove operates a highly secure video platform and offers a number of solutions to ensure a secure video experience for our customers. If our customers or partners experience security threats to their systems that would impact their use of our services, we work closely with them to remedy any vulnerabilities as quickly as possible and offer support from our team of experts

Article updated with comment from Brightcove and to clarify that no Birghtcove accounts were compromised, as the attack was executed by modifying resources stored externally of the platform.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.