Blender manufacturer NutriBullet on Wednesday said it had identified and removed malicious code on its website that allowed attackers to steal data from customers entering payment card information on it when purchasing products.
The move came about one month after security vendor RiskIQ first detected the malware on NutriBullet's website and apparently informed the company about it shortly thereafter. According to RiskIQ, NutriBullet did not respond to multiple attempts to alert it about the issue until today.
Researchers at RiskIQ, working in concert with ShadowServer and Abuse.ch — two malware fighting nonprofits — instead took down the domain the attackers were using to store stolen credit card data. The effort resulted in the card-skimmer being removed from NutriBullet's website on March 1, only to be replaced with a new one on March 5.
RiskIQ once again worked to neutralize the attacker's data-exfiltration domain and, in a repeat of the first time, the threat actors placed a new card skimmer on NutriBullet's website a few days later. Over the past few weeks, the criminals had access to NutriBullet's infrastructure and continued to be able replace the skimmer domain in the code to make it work again, RiskIQ said in a report Wednesday. Customers who placed orders on NutriBullet's website between February 20 and today are likely to have been affected, RiskIQ said.
In an emailed statement to Dark Reading, NutriBullet acknowledged the issue and claimed the matter had been quickly resolved. NutriBullet's statement suggested the company first learned of the skimmer today, which is at odds with RiskIQ's claims about the company having been notified previously about the issue. RiskIQ has continued to maintain that it made multiple previous attempts to reach NutriBullet.
"Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach," NutriBullet said. "The company's IT team promptly identified malicious code and removed it." NutriBullet said it had launched a forensic investigation to determine how the attackers had managed to place the skimmers on its website. It has also updated its security policies to include multifactor authentication.
NutriBullet is the latest victim of Magecart, a collection of hacker groups that over the last few years has stolen data on hundreds of millions of credit and debit cards by placing card-skimming software on e-commerce sites. Though each of the multiple groups has slightly different tactics and techniques, the most common has been to place skimmers on online shopping cart software or on other third-party software components that websites commonly use.
The card skimmers are designed to steal card information that customers enter into websites when making a purchase. Over the last few years, groups operating under the Magecart umbrella have compromised tens of thousands of large organizations, including Ticketmaster, British Airways, and NewEgg.
Magecart Strategy Highlights Supply Chain Risks
Yonathan Klijnsma, threat researcher at RiskIQ, says the different tactics that Magecart groups use make response harder for organizations. "The end goal is always to get the skimmer functioning on a website's checkout process, but how they place it varies widely — they do it however they can," Klijnsma says. "The same goes for their initial breaching of websites, which can be exploitation of the website [content management system] to reuse of credentials and simply logging in as an administrator."
Klijnsma says RiskIQ has been tracking Magecart activities since 2014 and therefore is able to spot attacks like the one on NutriBullet as they happen. RiskIQ has no visibility into how many purchasers on NutriBullet's website may have had their credit card information stolen, he adds. But based on how Magecart operates, it is likely that customers who shopped at the blender maker's website over the period the skimmers were on it were affected. "We didn't expect radio silence from NutriBullet, but it was sadly the case."
Lamar Bailey, senior director of security research at Tripwire, says most midsize to large companies have a formal process for reporting vulnerabilities and security issues and typically respond quickly when informed about an issue. But getting smaller companies to respond to information about a security threat on their websites can sometimes be a struggle. "I will add that it is worse for companies that develop products for the general public," such as small Internet of Things manufacturers, Bailey says. "Many of them will deprecate the product or end-of-life it instead or fixing it. This leaves customers in a bad position."
For organizations, attacks such as those involving Magecart groups highlight the importance of supply chain security because in most incidents, Magecart operators have placed card skimmers in third-party software such as shopping carts, content management systems, and visitor-tracking tools.
"With modern applications using a host of third-party libraries and services, there are ample locations to effectively poison the supply chain," says Tim Mackey, principal security strategist at Synopsys CyRC.
Therefore, for organizations, the question increasingly is about whom they can trust. When software was sourced solely from commercial vendors, the trust was inherent in the contract between the vendor and purchaser, Mackey says. But when the provenance and authorship of software is unknown, website owners need to have processing for vetting trust.
"If developers can't explain what changed in a given release, that's a problem," Mackey says. "If they can't explain how the code they depend upon gets updated, that's a problem. Both are in effect the equivalent of [saying] 'if it's on the Internet, it must be OK,'" Mackey says.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"