Hackers inject Tupperware website with card skimmer; threat remains live

News by Chandu Gopalakrishnan

Hackers able to capture payment data from online shoppers buying from Tupperware and affiliated sites, finds Malwarebytes

Household brand Tupperware and its associated websites are under cyber-attack, reported Malwarebytes. Attempts to alert Tupperware went unanswered, wrote Jérôme Segura, director of threat intelligence at Tupperware.

With the urban population world over being forced to stay indoors, the attack on the globally popular utensil brand whose website commands close to one million monthly visits put online shoppers at risk, noted the report.

“This cyber-attack was discovered during one of our web crawls,” Segura told SC Media UK.  

During the web crawls, Malwarebytes researchers identified a suspicious-looking iframe loaded from the website deskofhelp, when visiting the checkout page at tupperware’s website. This iframe is responsible for displaying the payment form fields presented to online shoppers, said the report.

This domain name itself had a few red flags, said the report. 

It was created on 9 March, and threat actors often use newly-registered domains prior to a new campaign. It is registered to elbadtoy@yandex, an email address with Russian provider Yandex. It seemed at odds for a payment form on a US-branded website. The domain was hosted on a server at 5.2.78[.]19, alongside a number of phishing domains.

“We don’t know how the attackers did it (the attack). However, it appears that the CMS used (Magento) may be out of date,” he estimated. 

The Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English. A detailed examination threw up more signs of foul play.

Other than the official tupperware site, a few of its localised versions were targeted. A malicious code was hidden within an image file that activates a fraudulent payment form during the checkout process. This form collected customer payment data through a digital credit card skimmer and passed it onto the cyber-criminals. The damage was limited to it, said Segura.

“They were only able to capture payment data from online shoppers buying from the affected sites,” Segura said.

Segura told SC Media UK that Malwarebytes has seen this stegano technique being used before. However, this was the most elaborate use, as this targeted attack required a significant amount of customisation.

“The company was alerted on March 20. The company did not return our voice messages or emails. The site still remains compromised,” he added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews