[BreachExchange] Credit Card Skimmer Found on Tupperware Website

[Destry Winant]

https://www.securityweek.com/credit-card-skimmer-found-tupperware-website

People who made purchases from the official Tupperware website over
the past couple of weeks may have had their payment card information
stolen, cybersecurity firm Malwarebytes warned on Wednesday.

Cybercriminals apparently hacked tupperware[dot]com and planted
malicious code designed to steal payment card information. The credit
card skimmer was planted on the main website and some of its localized
versions, Malwarebytes said.

The website has nearly one million visitors every month, which
indicates that the hackers may have obtained a significant number of
payment card records as a result of this attack.

According to Malwarebytes, the credit card skimmer planted on the
Tupperware website displayed a fake payment form during the checkout
process. The form asked unsuspecting users to provide information such
as name, billing address, phone number, credit card number, card
expiry date, and CVV.

Once the information was handed over to the hackers, a “session timed
out” message was displayed and the victim was directed to the
legitimate checkout page. However, by that time the attackers already
had their information.

Malwarebytes said it was unclear how the attackers breached the
Tupperware website, but it’s possible that they did it through a
Magento vulnerability — the website is running an outdated version of
the Magento e-commerce platform.

As for how long the skimmer was present, the company’s researchers
believe the malicious code was planted sometime after March 9, the
registration date of the domain responsible for loading the iframe
that displayed the phishing page.

Malwarebytes noticed the skimmer on the Tupperware website on March 20
and immediately alerted the vendor. However, Tupperware ignored
Malwarebytes’ emails and calls and the malicious code remained active
until March 25, when the cybersecurity firm made its findings public.
The malicious code was removed shortly after a blog post describing
the attack was published.

SecurityWeek has reached out to Tupperware for comment and will update
this article if the company responds.

A significant number of major companies had their websites hacked in
similar attacks over the past year and many of these operations have
been attributed to Magecart, an umbrella term that encompasses
multiple different threat groups that use the same technique to steal
payment card information.

“Though the iframe injection was crafty, this type of attack should
only work on websites that have implemented very few security
measures. Standard server headers to block iframes would have stopped
this attack,” Matt Keil, director of product marketing at Cequence,
told SecurityWeek. “As we look at how Magecart attacks work, having a
simple understanding of where your clients are being redirected is
becoming necessary. 3rd party code is needed but it shouldn’t be an
open attack vector whether it is placed on the website maliciously,
brought in to the client via an iframe or has a legitimate use,
organizations need to monitor how it is impacting their clients.”