Multiple websites breached throuh compromised hosting service

MULTIPLE WEBSITES BREACHED THROUGH COMPROMISED HOSTING SERVICE

April 22, 2025

A new attack has been disclosed, hidden within a known and trusted source—effectively bypassing solutions that rely on Content Security Policy (CSP), where such sources are typically whitelisted.

​The Source Defense Research Team has uncovered another sophisticated breach affecting numerous websites, including UK-based restaurant websites using a popular online food ordering platform. In this case, malicious scripts were loaded from CodePen’s Asset Hosting service, complicating detection—especially for security strategies that rely on whitelisting. This remains true even when a WebSocket is established to communicate with a known malicious domain. Furthermore, the stolen data is transmitted via WebSockets—a method that has gained popularity over the past year and may be overlooked due to its relatively recent emergence.​

This type of attack is known as a silent skimming attack because the infiltration occurs as the user enters sensitive details into a legitimate payment form, and it typically goes completely unnoticed by users.

Our team immediately alerted CodePen, and they responded quickly to remove the malicious content.

This incident serves as a crucial reminder that comprehensive protection against such attacks requires solutions that consistently monitor scripts, whether newly introduced or exhibiting suspicious behavior. Additionally, it’s essential to monitor data transfers via WebSockets to ensure their legitimacy.​

How does Source Defense protect you from such attacks?

Source Defense maintains extensive lists of both well-known and lesser-known malicious domains, ensuring they are blocked upon identification on any of our customers’ websites, provided they are using the Protect product.​

Customers utilizing the Detect product receive alerts, enabling them to manually remove or block the malicious scripts.