Cyber Incident Victim: Picreel

The incident involving Picreel emerged on May 12, 2019, as part of a broader campaign targeting multiple online service providers. Security researcher Willem de Groot of Sanguine Security initially identified malicious scripts on servers belonging to Picreel and Alpaca Forms, with RiskIQ researchers subsequently confirming similar compromises at five additional companies: AppLixir, RYVIU, OmniKick, eGain, and AdMaxim. Attackers breached at least seven companies to inject malicious code into their services, which were then delivered to approximately 4,600 customer websites. The compromised scripts were designed to capture all data entered into website form fields—including payment details, login credentials, and contact information—and exfiltrate it to a server located in Panama. This ongoing attack remained active at the time of initial reporting, with malicious scripts still operational across affected sites.

The campaign represented a significant escalation in supply-chain attacks due to its indiscriminate targeting of all form fields across websites, unlike previous incidents that focused on specific data types like payment information. While Cloud CMS intervened to disable the compromised CDN hosting Alpaca Forms' script, they clarified their infrastructure wasn't directly breached but rather exploited through customer implementations. Picreel experienced a failed execution attempt, as attackers' flawed code modifications prevented the malicious payload from activating on their platform—a similar outcome occurred with OmniKick. eGain's compromise was limited to scripts running exclusively on their own website rather than customer-facing implementations. The incident highlighted attackers' strategic shift toward compromising third-party service providers to maximize the scale of data harvesting from downstream websites.