Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2020
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Skimmer May Have Put NutriBullet Customers' Card Data at Risk for Nearly a Month

Blender maker is the latest victim of Magecart.

Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products.

The move came about one month after security vendor RiskIQ first detected the malware on NutriBullet's website and apparently informed the company about it shortly thereafter. According to RiskIQ, NutriBullet did not respond to multiple attempts to alert it about the issue until today.

Researchers at RiskIQ, working in concert with ShadowServer and Abuse.ch — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data. The effort resulted in the card-skimmer being removed from NutriBullet's website on March 1, only to be replaced with a new one on March 5.

RiskIQ once again worked to neutralize the attacker's data-exfiltration domain and, in a repeat of the first time, the threat actors placed a new card skimmer on NutriBullet's website a few days later. Over the past few weeks, the criminals had access to NutriBullet's infrastructure and continued to be able replace the skimmer domain in the code to make it work again, RiskIQ said in a report Wednesday. Customers who placed orders on NutriBullet's website between February 20 and today are likely to have been affected, RiskIQ said.

In an emailed statement to Dark Reading, NutriBullet acknowledged the issue and claimed the matter had been quickly resolved. NutriBullet's statement suggested the company first learned of the skimmer today, which is at odds with RiskIQ's claims about the company having been notified previously about the issue. RiskIQ has continued to maintain that it made multiple previous attempts to reach NutriBullet.

"Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach," NutriBullet said. "The company's IT team promptly identified malicious code and removed it." NutriBullet said it had launched a forensic investigation to determine how the attackers had managed to place the skimmers on its website. It has also updated its security policies to include multifactor authentication.

NutriBullet is the latest victim of Magecart, a collection of hacker groups that over the last few years has stolen data on hundreds of millions of credit and debit cards by placing card-skimming software on e-commerce sites. Though each of the multiple groups has slightly different tactics and techniques, the most common has been to place skimmers on online shopping cart software or on other third-party software components that websites commonly use.

The card skimmers are designed to steal card information that customers enter into websites when making a purchase. Over the last few years, groups operating under the Magecart umbrella have compromised tens of thousands of large organizations, including Ticketmaster, British Airways, and NewEgg.

Magecart Strategy Highlights Supply Chain Risks
Yonathan Klijnsma, threat researcher at RiskIQ, says the different tactics that Magecart groups use make response harder for organizations. "The end goal is always to get the skimmer functioning on a website's checkout process, but how they place it varies widely — they do it however they can," Klijnsma says. "The same goes for their initial breaching of websites, which can be exploitation of the website [content management system] to reuse of credentials and simply logging in as an administrator."

Klijnsma says RiskIQ has been tracking Magecart activities since 2014 and therefore is able to spot attacks like the one on NutriBullet as they happen. RiskIQ has no visibility into how many purchasers on NutriBullet's website may have had their credit card information stolen, he adds. But based on how Magecart operates, it is likely that customers who shopped at the blender maker's website over the period the skimmers were on it were affected. "We didn't expect radio silence from NutriBullet, but it was sadly the case."

Lamar Bailey, senior director of security research at Tripwire, says most midsize to large companies have a formal process for reporting vulnerabilities and security issues and typically respond quickly when informed about an issue. But getting smaller companies to respond to information about a security threat on their websites can sometimes be a struggle. "I will add that it is worse for companies that develop products for the general public," such as small Internet of Things manufacturers, Bailey says. "Many of them will deprecate the product or end-of-life it instead or fixing it. This leaves customers in a bad position."

For organizations, attacks such as those involving Magecart groups highlight the importance of supply chain security because in most incidents, Magecart operators have placed card skimmers in third-party software such as shopping carts, content management systems, and visitor-tracking tools.

"With modern applications using a host of third-party libraries and services, there are ample locations to effectively poison the supply chain," says Tim Mackey, principal security strategist at Synopsys CyRC.

Therefore, for organizations, the question increasingly is about whom they can trust. When software was sourced solely from commercial vendors, the trust was inherent in the contract between the vendor and purchaser, Mackey says. But when the provenance and authorship of software is unknown, website owners need to have processing for vetting trust.

"If developers can't explain what changed in a given release, that's a problem," Mackey says. "If they can't explain how the code they depend upon gets updated, that's a problem. Both are in effect the equivalent of [saying] 'if it's on the Internet, it must be OK,'" Mackey says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It's the latest version of antivirus.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13775
PUBLISHED: 2020-06-02
ZNC before 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.
CVE-2020-12607
PUBLISHED: 2020-06-02
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a us...
CVE-2020-13764
PUBLISHED: 2020-06-02
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
CVE-2020-13760
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2020-13761
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.