Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2020
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Skimmer May Have Put NutriBullet Customers' Card Data at Risk for Nearly a Month

Blender maker is the latest victim of Magecart.

Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products.

The move came about one month after security vendor RiskIQ first detected the malware on NutriBullet's website and apparently informed the company about it shortly thereafter. According to RiskIQ, NutriBullet did not respond to multiple attempts to alert it about the issue until today.

Researchers at RiskIQ, working in concert with ShadowServer and Abuse.ch — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data. The effort resulted in the card-skimmer being removed from NutriBullet's website on March 1, only to be replaced with a new one on March 5.

RiskIQ once again worked to neutralize the attacker's data-exfiltration domain and, in a repeat of the first time, the threat actors placed a new card skimmer on NutriBullet's website a few days later. Over the past few weeks, the criminals had access to NutriBullet's infrastructure and continued to be able replace the skimmer domain in the code to make it work again, RiskIQ said in a report Wednesday. Customers who placed orders on NutriBullet's website between February 20 and today are likely to have been affected, RiskIQ said.

In an emailed statement to Dark Reading, NutriBullet acknowledged the issue and claimed the matter had been quickly resolved. NutriBullet's statement suggested the company first learned of the skimmer today, which is at odds with RiskIQ's claims about the company having been notified previously about the issue. RiskIQ has continued to maintain that it made multiple previous attempts to reach NutriBullet.

"Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach," NutriBullet said. "The company's IT team promptly identified malicious code and removed it." NutriBullet said it had launched a forensic investigation to determine how the attackers had managed to place the skimmers on its website. It has also updated its security policies to include multifactor authentication.

NutriBullet is the latest victim of Magecart, a collection of hacker groups that over the last few years has stolen data on hundreds of millions of credit and debit cards by placing card-skimming software on e-commerce sites. Though each of the multiple groups has slightly different tactics and techniques, the most common has been to place skimmers on online shopping cart software or on other third-party software components that websites commonly use.

The card skimmers are designed to steal card information that customers enter into websites when making a purchase. Over the last few years, groups operating under the Magecart umbrella have compromised tens of thousands of large organizations, including Ticketmaster, British Airways, and NewEgg.

Magecart Strategy Highlights Supply Chain Risks
Yonathan Klijnsma, threat researcher at RiskIQ, says the different tactics that Magecart groups use make response harder for organizations. "The end goal is always to get the skimmer functioning on a website's checkout process, but how they place it varies widely — they do it however they can," Klijnsma says. "The same goes for their initial breaching of websites, which can be exploitation of the website [content management system] to reuse of credentials and simply logging in as an administrator."

Klijnsma says RiskIQ has been tracking Magecart activities since 2014 and therefore is able to spot attacks like the one on NutriBullet as they happen. RiskIQ has no visibility into how many purchasers on NutriBullet's website may have had their credit card information stolen, he adds. But based on how Magecart operates, it is likely that customers who shopped at the blender maker's website over the period the skimmers were on it were affected. "We didn't expect radio silence from NutriBullet, but it was sadly the case."

Lamar Bailey, senior director of security research at Tripwire, says most midsize to large companies have a formal process for reporting vulnerabilities and security issues and typically respond quickly when informed about an issue. But getting smaller companies to respond to information about a security threat on their websites can sometimes be a struggle. "I will add that it is worse for companies that develop products for the general public," such as small Internet of Things manufacturers, Bailey says. "Many of them will deprecate the product or end-of-life it instead or fixing it. This leaves customers in a bad position."

For organizations, attacks such as those involving Magecart groups highlight the importance of supply chain security because in most incidents, Magecart operators have placed card skimmers in third-party software such as shopping carts, content management systems, and visitor-tracking tools.

"With modern applications using a host of third-party libraries and services, there are ample locations to effectively poison the supply chain," says Tim Mackey, principal security strategist at Synopsys CyRC.

Therefore, for organizations, the question increasingly is about whom they can trust. When software was sourced solely from commercial vendors, the trust was inherent in the contract between the vendor and purchaser, Mackey says. But when the provenance and authorship of software is unknown, website owners need to have processing for vetting trust.

"If developers can't explain what changed in a given release, that's a problem," Mackey says. "If they can't explain how the code they depend upon gets updated, that's a problem. Both are in effect the equivalent of [saying] 'if it's on the Internet, it must be OK,'" Mackey says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.