Malicious code injected into the websites of household brand Tupperware is stealing customers’ credit card details – and a full five days after the company was first contacted about the Magecart-style attack by an established security firm, it has not responded, meaning the threat is still live and shoppers remain at risk.
Santa Clara-based Malwarebytes first identified the attack on March 20. It immediately attempted to notify Tupperware (which sees close to a million page visits a month) of the issue via multiple channels, but said it has failed to rouse a response. Malwarebytes believes the skimmer to have been in place since around March 9, 2020.
When reached by Computer Business Review, Tupperware’s VP of Investor Relations, Jane Garrard said “we are following up internally to evaluate the situation”.
See also: An Idiot’s Guide to Dealing with (White Hat) Hackers
Parent company NYSE-listed Tupperware Brands Corporation sells household, beauty and personal care products across multiple brands. It has an independent marketing sales force of 2.9 million, and expects sales of circa $1.5 billion in fiscal 2019.
Credit card skimmers put a fake payment details pop-up on a company’s website, then steal payment details from it to abuse for fraud or sell on, on the Dark Web. The Tupperware attackers are securing full names, telephone and credit card numbers, expiry dates and credit card CVVs of customers, Malwarebytes said.
The security firm said today: “We called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. At time of publication, we still have not heard back from the company and the site remains compromised.”
The rogue iframe payment form, which is highly convincing. Credit: Malwarebytes
Tupperware Hacked: What’s Happened?
The cyber criminals involved have hidden malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.
Malwarebytes (which noticed the issue after spotting “a suspicious-looking iframe” during a web crawl), said: “There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly.”
The iframe – a common way to nest another browser window in a web page – is loaded from the domain deskofhelp[.]com when visiting the checkout page at tupperware’s homepage, and is responsible for displaying the payment form fields presented to online shoppers. The domain was only created on March 9, is registered to a Russian email address and is hosted on a server alongside a number of phishing domains.
Malwarebytes said: “Interestingly, if you were to inspect the checkout page’s HTML source code, you would not see this malicious iframe. That’s because it is loaded dynamically in the Document Object Model (DOM) only… One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source”. It will open up a new tab showing the content loaded by deskofhelp[.]com”.
“The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out. This allows the threat actors to reload the page with the legitimate payment form”. Using this technique, Tupperware doesn’t notice a sudden dip in transactions and customers still get their wares ordered, while the criminals steal the data.
Malwarebytes said: “We see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.
Code embedded in a PNG image is responsible for loading the rogue iframe at the checkout page. The threat actors are hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.
Malwarebytes noted that it was not clear how the malicious PNG image is loaded, but “a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.” (Magento is owned by Adobe).
Jérôme Segura, Malwarebytes’ director of threat intelligence, told Computer Business Review: “We understand that businesses have been disrupted in light of the coronavirus crisis, and that employees are working remotely, which accounts for delays.
“Our decision to go public is to ensure that the problem is being looked at in a timely manner to protect online shoppers”.
See also: Finastra, World’s Third Largest Fintech, Hit by Ransomware