Researchers Say Magecart-Style Attack Targeted Payment Card Data
(Source: RageZ via Wikimedia/CC)
Tupperware, known for its colorful array of food storage containers, is the latest company to have its website hit with a card skimmer that siphons off payment card details at checkout, according to the security firm Malwarebytes.
A Tupperware spokesman tells Information Security Media Group that as of Thursday, the company had removed the malicious code from its website and started an investigation.
“Tupperware recently became aware of a potential security incident involving unauthorized code on our U.S. and Canadian ecommerce sites,” the company spokesperson says. “As a result, we promptly launched an investigation, took steps to remove the unauthorized code, and a leading data security forensics firm was engaged to assist in the investigation.”
Following publication of the blog, we noticed that the malicious PNG file has been removed. This will break the skimmer.
However, other artifacts remain present and a full security sweep will be necessary. pic.twitter.com/BAuByz8KsZ
— MB Threat Intel (@MBThreatIntel) March 25, 2020
It’s not yet clear how much payment card data may have been stolen or whether any has been offered for sale on dark net sites, Malwarebytes says.
Jérôme Segura, director of threat intelligence at Malwarebytes, tells Information Security Media Group that the skimmer attack likely lasted for at least five days. Tupperware attracts about 1 million visitors each month, the Malwarebytes research report notes.
As more consumers turn to ecommerce as a result of the spread of COVID-19, Segura expects these types of skimming attacks are likely to increase.
“It’s really important for online merchants to secure their sites and have a point of contact so that defenders can report these breaches,” Segura says. “Web skimmers have been one of our top detections as far as web threats are concerned, and we are closely monitoring them during this period.”
The Malwarebytes researchers noticed a suspicious iframe on the Tupperware website during a routine scanning exercise earlier this month.
The iframe displays the image a shopper sees during the checkout process. When Malwarebytes looked at the iframe on the Tupperware site, however, it was loading content from a domain called “deskofhelp.com,” which was registered on March 9 and has been tied phishing attacks, according to the report.
Fake checkout form on Tupperware site (Source: Malwarebytes)
The Malwarebytes researchers saw that the form created by the malicious iframe would collect shoppers’ first and last name, billing address, telephone number, credit card number, credit card expiry date and CVV number. When customers attempted to check out, they would receive an error message, the report notes.
Difficult to Detect
“The most interesting thing here is how threat actors built this iframe dynamically without leaving too many traces. Even though we caught it, we think most web scanners would have missed it,” Segura says. “The technique in itself is not new, but a little bit more elaborate than usual, in particular because embedding data into images – steganography – can make identification harder.”
One tipoff that something was wrong is that the attackers did not adjust the malicious checkout forms for different versions of the Tupperware websites. For instance, an English language version of the fake page appeared on the Spanish version of Tupperware’s website, according to Malwarebytes.
In addition, researchers reported this month that payment card data stolen last year when hackers compromised online stores that were using the Volusion checkout platform is now surfacing on dark web sites and forums (see: For Sale: Card Data From Online Stores Using Volusion).
Managing Editor Scott Ferguson contributed to this report.