Users have been warned to avoid shopping on the website of kitchenware brand Tupperware for the time being after researchers at Malwarebytes discovered an active credit card skimmer on the website that, at the time of writing, remains in place.
The targeted cyber attack was uncovered on 20 March 2020, and despite alerting Tupperware immediately, Malwarebytes claimed that none of its calls or emails were answered.
“We called Tupperware on the phone several times, and also sent messages via email, Twitter and LinkedIn,” said Malwarebytes’ Jérôme Segura. “However, at time of publication, we still have not heard back from the company and the site remains compromised.”
Tupperware’s official site and a number of localised versions currently contain malicious code within an image file that activates a fake payment form when shoppers are checking out. The form collects customer payment data using a digital credit card skimmer to pass it to cyber criminals.
“Digital credit card skimmers, also known as web skimmers, continue to be one of the top web threats we monitor at Malwarebytes. For the past several years, a number of criminals – usually tied to organised Magecart groups – have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers,” said Segura.
Segura added: “In light of the Covid-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers, moving forward.”
Segura said the cyber criminals behind the hack had put a considerable amount of work into compromising Tupperware’s website to integrate their card skimmer and remain undetected.
The compromise was discovered during a standard web crawl, when researchers spotted a suspicious-looking iframe loading from another domain when visiting Tupperware’s checkout page. The iframe in question displays the payment form fields that shoppers see.
However, the third-party domain contained some big red flags – it was created only on 9 March, is registered with Russian provider Yandex, and is hosted on a server that contains other phishing domains.
Because of how it is loaded, the malicious iframe cannot be seen on inspecting the checkout page’s HTML code, but can be revealed if a user right-clicks within the payment form and chooses to “view frame source” in Chrome.
It also contains a small flaw, in that the attackers did not properly localise their malicious form – on the Spanish version of Tupperware’s site, it appears in English.
The attack dupes users by showing them a fake session time-out message when they enter their payment details. The cyber criminals then reload the legitimate page and victims enter their information a second time, by which time the data theft has already taken place.
Data exfiltrated includes first and last names, billing addresses, phone numbers, credit card numbers, expiry dates and CVV codes.
Segura said he did not know how Tupperware had been hacked, but suggested that the company may be running an unpatched version of the open source Magento e-commerce software.
Tupperware had not responded to a request for comment at the time of publication.