[BreachExchange] Skimming code battle on NutriBullet website may have risked customer credit card data

Destry Winant destry at riskbasedsecurity.com
Thu Mar 19 10:09:55 EDT 2020


https://www.zdnet.com/article/skimming-code-lurking-on-nutribullet-website-puts-customer-credit-card-data-at-risk/

NutriBullet has become the latest in a string of Magecart victims with
skimmer code implanted on the firm's domain in order to steal customer
financial data.

Research made public on Wednesday by RiskIQ said the intrusions were
the work of Magecart Group 8, a collective under the Magecart
umbrella.

Magecart is a general term now used to define attacks using JavaScript
code and website vulnerabilities to plant skimmers on pages related to
online purchases. Skimmer code covertly siphons away payment card
information when submitted by customers during online purchases.

This data is then whisked away to a command-and-control (C2) server
controlled by an attack group, where it may be sold in bulk or used to
make fraudulent purchases.

According to RiskIQ researcher Yonathan Klijnsma, Magecart skimmer
code was recently detected on the international domain for the blender
manufacturer.

First spotted on February 20, the original skimmer was removed by
March 1, but only five days later, another skimmer was installed. The
cat-and-mouse game continued, with RiskIQ working quickly with AbuseCH
and ShadowServer to take down the C2 facilitating the transfer of
stolen card data.

However, on March 10, skimmer code with yet another replacement C2
address was detected.

External help and removing the external domains connected to the
skimmer simply is not enough, as for as long as vulnerabilities or
weaknesses in website infrastructure exist, attackers can simply
deploy new malicious payloads to resume criminal operations.


The first skimmer targeted a jQuery JavaScript library used by all
NutriBullet pages and was appended at the bottom of the library. This
particular code sample has been detected in over 200 compromised
domains including in the case of the same Magecart group striking
Amerisleep and MyPillow in 2019.

The second skimmer targeted a separate resource, a submodule for
jQuery, whereas the third was injected at the top of another script on
the NutriBullet domain, main-build-8a9adc31.js.

At the time the blog post was made public, RiskIQ said it had
attempted to contact NutriBullet over the course of three weeks but
had received no response. The cybersecurity firm recommended that
customers avoid "making any purchases on the site as customer data is
endangered."

Update 15.50 GMT: The company said the team began working on March 17
to contain the issue.

A NutriBullet spokesperson told ZDNet that the company "takes
cybersecurity and personal privacy extremely seriously and is
dedicated to the protection of our customers."

"Our IT team immediately sprang into action this morning (3/17/20)
upon first learning from RiskIQ about a possible breach," the company
added. "The company's IT team promptly identified malicious code and
removed it. We have launched forensic investigations to determine how
the code was compromised and have updated our security policies and
credentials to include Multi-Factor Authentication (MFA) as a further
precaution. Our team will work closely with outside cybersecurity
specialists to prevent further incursions.  We thank RiskIQ for
bringing this issue to our attention."

Magecart Group 8 tends to hone in on specific targets rather than use
a "spray-and-pray" approach. In 2019, the threat group targeted the
web infrastructure of a national diamond exchange, and by compromising
the main backend, the group was able to infect multiple local domains.

"Given the lucrative nature of card skimming, Magecart attacks will
continue to evolve and surprise security researchers with new
capabilities," Klijnsma said. "They're learning from past attacks to
stay one step ahead, so it's on the security community to do the
same."

ZDNet has reached out to NutriBullet and will update if we hear back.


More information about the BreachExchange mailing list