A faction under the Magecart umbrella, Magecart Group 8, targeted the website of the blender manufacturer, NutriBullet, in an attempt to steal the payment-card data of its online customers.
“NutriBullet takes cybersecurity and personal privacy extremely seriously and is dedicated to the protection of our customers,” NutriBullet said in a statement to Threatpost. “Our IT team immediately sprang into action [March 17] upon first learning from RiskIQ about a possible breach. The company’s IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution. Our team will work closely with outside cyber security specialists to prevent further incursions. We thank RiskIQ for bringing this issue to our attention.”
Hackers inject web skimmers into targeted websites and designed to steal data entered into online payment forms on e-commerce websites. When a visitor goes to that website, these skimmers (such as the popular Pipka or Inter) will then scoop up personal details entered on the site.
The web skimmer that researchers first discovered on NutriBullet’s site first uses a page check (via a simple regex, which is a sequence of characters to define a search pattern) to investigate whether the current browser page looks like a payment page. Once the variables are verified and the page correctly defined as a payment page, the code will call the skimming function. This skimming functionality will grab victims’ payment information as they enter it into the payment field on the website, and then exfiltrate it to attacker controlled servers.
After multiple attempts to contact NutriBullet and receiving no response, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of Swiss security site AbuseCH, and the Shadowserver Foundation, a nonprofit security organization that focuses on malicious internet activity (NutriBullet, for their part, said they had not heard from researchers until March 17).
“Group 8 operators were using this domain to receive stolen credit-card information, and its takedown prevented there being new victims,” said researchers.
Despite taking down the attacker exfiltration domain, researchers said that they observed the skimmer being removed on March 1, only to be replaced with a new skimmer (and a new exfiltration URL) on the website on March 5. Researchers said they believe that the attackers may have removed the skimmer and set up a new domain after the initial domain was blocked. Researchers again worked with AbuseCH and ShadowServer to take down the new domain; but then, they found another skimmer on the NutriBullet website yet again on March 10. This latest skimmer however had the same, now-defunct domain as the previous one.
“At the time the attackers placed the skimmer in this new script, we had already taken down the domain they used for receiving data,” said researchers. “We believe the attackers saw that traffic dropped and assumed NutriBullet had cleaned up its site. They then moved the skimmer elsewhere without realizing the domain was defunct.”
Researchers said they are familiar with the specific skimmer code used in this incident, as it has been used at least since 2018 by Group 8 – the Magecart group responsible for previous attacks on bedding and pillow manufacturers Amerisleep and MyPillow, as well as Philippine broadcast company ABS-CBN. Group 8 is one of many factions under the Magecart umbrella, which has made headlines over the past year or so for high-profile breaches of companies like VisionDirect, Ticketmaster and more.
This group is unique in that it focuses on individual victims, rather than taking the “shotgun approach” of other Magecart groups that compromises many websites at once. This has proved to be a lucrative technique for the group: For instance, in 2019, Group 8 targeted an unnamed national diamond exchange, allowing them to hit all the exchange’s localized websites at the same time, said researchers.
“Highly targeted, highly technical breaches may become a trend,” said researchers. “As we saw in the attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website. Operatives with the right acumen and enough time will find them.”
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.