Household brand Tupperware has had several websites compromised by digital skimming code, potentially exposing a million monthly visitors, according to Malwarebytes.
The security vendor discovered a targeted attack aimed at the company’s main dot com site and several localized versions last week.
To harvest Tupperware customers’ card details, the hackers inserted a fake iframe in the site’s checkout page to mimic a real payment form. On further discovery it was found to be loading content from deskofhelp[.]com, a domain registered just days earlier, on March 9, buy a .ru email address.
The same domain is also hosted on a server alongside multiple phishing domains, explained director of threat intelligence, Jérôme Segura.
“The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out,” he added.
“This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.”
The fraudulent payment form itself was activated by malicious code hidden inside a PNG file, a technique known as steganography. It’s unclear exactly how Tupperware was first hacked to insert the malicious image, but Segura claimed it may have been running an outdated version of the Magento e-commerce platform.
However, the group behind the attack isn’t as polished as many others carrying out Magecart-like attacks. For one, they forgot to localize the iframe, so that on foreign language versions of the site, the fake payment page still appeared in English.
Segura claimed that digital skimming attacks are likely to be ramping up now as online orders come flooding in from shoppers kept at home by COVID-19.
Although Tupperware did not respond to Malwarebytes’s emails, phone calls and social media messages, the PNG file and malicious JavaScript was removed as of Wednesday.