Security News > 2022 > December > Credit card skimming – the long and winding road of supply chain failure
Sadly, that's long merely in terms of time, not long in terms of technical complexity or the number of links in the chain itself.
In the early 2010s, a web analytics company called Cockpit offered a free web marketing and analytics service.
Numerous e-commerce sites used this service by sourcing JavaScript code from Cockpit's servers, thus incorporating third-party code into their own web pages as trusted content.
To what we can only assume was a mixture of surprise and delight, the crooks apparently found that at least 40 e-commerce sites still hadn't updated their web pages to remove any links to Cockpit, and were still calling home and accepting any JavaScript code that was on offer.
Insert JavaScript code to monitor the content of input fields on predetermined web pages.
Insert additional fields into web forms on selected web pages.