Skimming code battle on NutriBullet website may have risked customer credit card data

Updated: The cat-and-mouse game between skimmer installation and removal carried on for weeks.

One of the largest data leaks ever traced back to Wawa's 2019 malware attack

NutriBullet has become the latest in a string of Magecart victims with skimmer code implanted on the firm's domain in order to steal customer financial data. 

Research made public on Wednesday by RiskIQ said the intrusions were the work of Magecart Group 8, a collective under the Magecart umbrella. 

Magecart is a general term now used to define attacks using JavaScript code and website vulnerabilities to plant skimmers on pages related to online purchases. Skimmer code covertly siphons away payment card information when submitted by customers during online purchases. 

See also: Financial companies leak 425GB in company, client data through open database

This data is then whisked away to a command-and-control (C2) server controlled by an attack group, where it may be sold in bulk or used to make fraudulent purchases. 

According to RiskIQ researcher Yonathan Klijnsma, Magecart skimmer code was recently detected on the international domain for the blender manufacturer. 

First spotted on February 20, the original skimmer was removed by March 1, but only five days later, another skimmer was installed. The cat-and-mouse game continued, with RiskIQ working quickly with AbuseCH and ShadowServer to take down the C2 facilitating the transfer of stolen card data. 

However, on March 10, skimmer code with yet another replacement C2 address was detected. 

External help and removing the external domains connected to the skimmer simply is not enough, as for as long as vulnerabilities or weaknesses in website infrastructure exist, attackers can simply deploy new malicious payloads to resume criminal operations. 

CNET: Elections amid coronavirus: How officials aim to keep voters safe

The first skimmer targeted a jQuery JavaScript library used by all NutriBullet pages and was appended at the bottom of the library. This particular code sample has been detected in over 200 compromised domains including in the case of the same Magecart group striking Amerisleep and MyPillow in 2019.

screenshot-2020-03-18-at-11-57-15.png

RiskIQ

The second skimmer targeted a separate resource, a submodule for jQuery, whereas the third was injected at the top of another script on the NutriBullet domain, main-build-8a9adc31.js. 

TechRepublic: Coronavirus: What business pros need to know

At the time the blog post was made public, RiskIQ said it had attempted to contact NutriBullet over the course of three weeks but had received no response. The cybersecurity firm recommended that customers avoid "making any purchases on the site as customer data is endangered."

Update 15.50 GMT: The company said the team began working on March 17 to contain the issue. 

A NutriBullet spokesperson told ZDNet that the company "takes cybersecurity and personal privacy extremely seriously and is dedicated to the protection of our customers."

"Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach," the company added. "The company's IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication (MFA) as a further precaution. Our team will work closely with outside cybersecurity specialists to prevent further incursions.  We thank RiskIQ for bringing this issue to our attention."

Magecart Group 8 tends to hone in on specific targets rather than use a "spray-and-pray" approach. In 2019, the threat group targeted the web infrastructure of a national diamond exchange, and by compromising the main backend, the group was able to infect multiple local domains. 

"Given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities," Klijnsma said. "They're learning from past attacks to stay one step ahead, so it's on the security community to do the same."

ZDNet has reached out to NutriBullet and will update if we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0