The website of household brand Tupperware, known for its plastic food container products, was infiltrated by hackers using digital skimming code that compromised personal and financial information of almost a million monthly visitors.
The hackers were able to place malicious code on Tupperware’s website to collect details of payment cards that buyers filled in while making purchases. According to Malwarebytes, malicious code hiding in Tupperware’s website was discovered on March 20, which means the malicious code was active on the site for at least five days.
“In light of the COVID-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward. There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible,” Malwarebytes said.
The code imitates the company’s official payment form. When the user initiates a payment, the code creates a fake iframe in the site’s checkout page which is identical to the real payment form. This code then collects the data entered by customers such as their names, telephone numbers, billing addresses along with their card details like credit card numbers, credit card expiry dates, and credit card CVV codes and sends this details to its remote server.
According to the cyber security firm, the skimmer attack is designed in a way that shoppers will need to enter their payment details in the rogue iframe and immediately get an error, disguised as a session time-out. The second time the real payment form will load and customers will have to enter the payment details again to make the purchase. But the damage will be done already as the unauthorised party will get the data by then.
Timely security patches, penetration tests, and strong authentication can prevent digital skimming attacks
Commenting on the Magecart-style attack targeting Tupperware, Tim Mackey, principal security strategist at the Synopsys CyRC, told TEISS, “Online credit card skimming differs from the physical skimming practices most people have heard about in that there isn’t an obvious way the average person will be able to identify if or when a web site has been compromised. The primary potential tell-tale sign might be that the website itself doesn’t quite look “right”, though more sophisticated attacks can make even differentiating between a fake site and a legitimate one challenging.
“In the case of the Tupperware attack, the tell-tale sign is an error message when users enter their credit card information. Since credit card processing errors can and do occur, it would be incorrect to assume that all such errors represent an attack. So absent tell-tale signs of compromise, consumers should invest in protections for how they manage their credit cards rather than looking at the websites themselves,” he added.
“This attack highlights the growing risk of digital skimming attacks which can have a devastating impact on both the business and their customers,” said Mark Crichton, Senior Director of Security Product Management at OneSpan.
“In order to avoid becoming victims of digital skimming attacks like this one, e-commerce organisations need to apply security patches for all software components of the website; perform regular penetration tests on web applications to proactively find vulnerabilities; use strong authentication for access to back-end software components of the website; and implement access control based on the need-to-know principle, and deny all other access by default.
“For consumers, there are a number of steps they can take to protect themselves, such as using payment services like Google Pay or Apple Pay so they don’t need to disclose credit card details on the website. Using credit cards over debit cards when making purchases also gives you extra time to recover your money if needed, and finally, keeping an eye on your credit card statements will allow you to spot unexpected payments quickly.” He added.
According to Malwarebytes, Tupperware hasn’t responded to their emails and phone calls as yet. “Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised,” the firm said.