The COVID-19 virus epidemic has seen a 23% rise in visitors to UK independent ecommerce sites and similarly, on a global scale, many companies have transitioned to fully ecommerce-based business practice and are seeing an increase in online shoppers. Additionally, employees are either remote working, self-isolating or ill. This pivot in business continuity means websites are increasingly vulnerable to being attacked.
Our sources state that there has been a 20% increase in web-skimming attacks since the outbreak of the COVID-19 virus, and this month we have witnessed some high-profile Magecart attacks.
Latest Attacks:
- NutriBullet
- TrueFire
- Tupperware
NutriBullet
On March 18th, Threatpost reported that popular blender company NutriBullet suffered a Magecart Attack on their website ‘nutribullet.com’. The code was present for 26 days from February 20th, 2020 until March 17th when NutriBullet removed the code.
Like most Magecart attacks, the code was specifically targeting the checkout page to steal payment information. This tactic also allows hackers to go undetected by some solutions as the code is only loaded on one page rather than the full website.
The skimmer found on the NutriBullet site used a page check to confirm the browser page looks like a payment page. Once verified the code will call in the skimming function which steals the customers’ data as they enter it. It then sends the data to an external server operated by the hacker.
Researchers were able to take down the hacker’s exfiltration domain, meaning no more data could be stolen. However, they observed the first skimmer being removed on March 1st and replaced with a new skimmer and exfiltration URL on March 5th. Once again researchers took down the domain, however, another skimmer was found again on March 10th, thankfully with the same now-defunct domain.
It is believed to be Magecart Group 8 who have carried out the attack. Magecart Group 8 were responsible for attacks including the 2019 pillow manufacturers Amerisleep and MyPillow. The group targets individuals in highly technical attacks as opposed to widespread attack techniques used by other Magecart groups.
NutriBullet stated that their team will work closely with outside cybersecurity specialists to prevent future attacks in the future.
TrueFire
TrueFire is an online guitar tutoring platform with over 1 million users. They have announced a data breach on their website in which an attack exposed customers’ payment information. The Hacker News reported the attack on March 17th, 2020 which had not yet been publicly disclosed. Affected customers posted the Notice of Data Breach letter they received from TrueFire online.
The letter confirms the website was compromised for over 5 months from August 3rd, 2019 – January 14, 2020. Although not confirmed to be the Magecart group, the company states; “While we do not store credit card information on our website, it appears that the unauthorized person gained access to the site and could have accessed the data of consumers who made payment card purchases while that data was being entered”.
The company confirmed they patched the web vulnerability that allowed attackers to compromise the website in the first place.
Tupperware
The global household staple brand Tupperware is the latest company to suffer a Magecart attack. SC Magazine reported the attack on March 25th whilst the attack was still active. The attack, discovered on March 20th, occurred on the tupperware[.]com site and some local sites. Researchers explain how the hacker hid malicious code within an image file that activated a fraudulent payment form during the checkout process.
Researchers discovered a suspicious iframe loaded from deskofhelp[.]com when visiting the Tupperware’s checkout page, which displays the payment form fields used by shoppers. The domain was registered on March 9th and links to a Russian email address provider.
Threatpost also explained how the hacker used a unique tactic to hide card theft; “Once shoppers entered their data into the rogue iframe, they are immediately shown an “error” pretending to be a session time-out. The session time-out message is even copied from CyberSource, the legitimate payment platform used by Tupperware.”
Although the hacker went to great lengths to hide their malicious activity, they were not as careful in how the malicious form appeared on localised pages. Although the Spanish version of the Tupperware site was written in Spanish, an English payment form was still present.
On March 27th, Tupperware released a statement stating they “promptly launched an investigation, took steps to remove the unauthorized code, and a leading data security forensics firm was engaged to assist in the investigation.”
Although the number of affected customers is unknown, the malicious code was present on the website for at least 6 days. The Tupperware site averages more than one million visitors each month, which could give some indication to the scale of the data breach.
RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Attack Detection would have detected every attack. Attack detection takes less than 5 minutes to set-up and will alert you to any untrusted data on your ecommerce site.
Other Security News:
- What You Need to Know About E-Skimming
- Why CSP Isn’t Enough to Stop Magecart-Like Attacks
- Hackers Get $1.6 Million for Card Data from Breached Online Shops
- Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites
- Crafty Web Skimming Domain Spoofs “https”
- IT businesses see two-fold increase in cyberattacks
- Post-lockdown eCommerce boost increases security concerns
