Tupperware website hacked and infected with payment card skimmer

Malicious code still active at the time of writing.
Written by Catalin Cimpanu, Contributor

Hackers have breached the website of Tupperware, a US company known for its plastic food container products, and placed malicious code on its website to collect payment card details from site buyers.

The malicious code has been running on the Tupperware homepage for at least five days, Malwarebytes said in a report today.

The US cyber-security firm said it first identified the malicious code last Friday, on March 20, but all attempts to notify Tupperware went unanswered.

According to Malwarebytes, the malicious code on Tupperware's website works by mimicking the company's official payment form.

Every time a user initiates a payment, the malicious code creates an iframe that floats over the page and shows a cloned payment form that mimics Tupperware's original VISA CyberSource payment form.

The cloned form then collects data entered by users, such as first and last name, billing address, telephone number, credit card number, credit card expiry date, and credit card CVV code, and sends this information to a remote server.

"The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out," said Jérôme Segura, malware researcher at Malwarebytes.

"This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened," Segura added.

According to Segura, the malicious code -- called a web skimmer, or Magecart script -- also ran on Tupperware's localized pages. However, the malicious form is easy to spot as while the Tupperware site runs in a local language, the malicious form is displayed in English.

A Tupperware spokesperson did not reply to a request for comment. The Tupperware website is ranked in the Alexa Top 100,000 most popular sites on the internet and averages roughly one million visitors per month.

Malwarebytes said it expects that the efforts of web skimmer gangs to increase in the coming months as most of the world's population is confined to their homes and will be relying on online stores for some of their shopping for the foreseeable future.

Updated at 8pm ET to add that Tupperware has removed the malicious code from its servers. The company has yet to respond to Malwarebytes and ZDNet with additional details or a formal statement.

The biggest Internet of Things, smart home hacks of 2019

Editorial standards