NutriBullet has become the latest in a string of Magecart victims with skimmer code implanted on the firm’s domain in order to steal customer financial data.
Research made public on Wednesday by RiskIQ said the intrusions were the work of Magecart Group 8, a collective under the Magecart umbrella.
Magecart is a general term now used to define attacks using JavaScript code and website vulnerabilities to plant skimmers on pages related to online purchases. Skimmer code covertly siphons away payment card information when submitted by customers during online purchases.
See also: Financial companies leak 425GB in company, client data through open database
This data is then whisked away to a command-and-control (C2) server controlled by an attack group, where it may be sold in bulk or used to make fraudulent purchases.
According to RiskIQ researcher Yonathan Klijnsma, Magecart skimmer code was recently detected on the international domain for the blender manufacturer.
First spotted on February 20, the original skimmer was removed by March 1, but only five days later, another skimmer was installed. The cat-and-mouse game continued, with RiskIQ working quickly with AbuseCH and ShadowServer to take down the C2 facilitating the transfer of stolen card data.
However, on March 10, skimmer code with yet another replacement C2 address was detected.
External help and removing the external domains connected to the skimmer simply is not enough, as for as long as vulnerabilities or weaknesses in website infrastructure exist, attackers can simply deploy new malicious payloads to resume criminal operations.
CNET: Elections amid coronavirus: How officials aim to keep voters safe
The first skimmer targeted a jQuery JavaScript library used by all NutriBullet pages and was appended at the bottom of the library. This particular code sample has been detected in over 200 compromised domains including in the case of the same Magecart group striking Amerisleep and MyPillow in 2019.
RiskIQ
The second skimmer targeted a separate resource, a submodule for jQuery, whereas the third was injected at the top of another script on the NutriBullet domain, main-build-8a9adc31.js.
TechRepublic: Coronavirus: What business pros need to know
At the time the blog post was made public, RiskIQ said it had attempted to contact NutriBullet over the course of three weeks but had received no response. The cybersecurity firm recommended that customers avoid “making any purchases on the site as customer data is endangered.”
However, in a statement to ThreatPost, the company said the team began working on March 17 to contain the issue.
“The IT team promptly identified malicious code and removed it,” NutriBullet added. “We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution.”
Magecart Group 8 tends to hone in on specific targets rather than use a “spray-and-pray” approach. In 2019, the threat group targeted the web infrastructure of a national diamond exchange, and by compromising the main backend, the group was able to infect multiple local domains.
“Given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities,” Klijnsma said. “They’re learning from past attacks to stay one step ahead, so it’s on the security community to do the same.”
ZDNet has reached out to NutriBullet and will update if we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0