Experts Insight On Tupperware Website Hacked And Infected With Payment Card Skimmer

It has been reported that hackers have breached the website of Tupperware, a US company known for its plastic food container products, and placed malicious code on its website to collect payment card details from site buyers. The malicious code has been running on the Tupperware homepage for at least five days, according to security researchers. Every time a user initiates a payment, the malicious code creates an iframe that floats over the page and shows a cloned payment form that mimics Tupperware’s original VISA CyberSource payment form.

Experts Comments

Dot Your Expert Comments

Tim Mackey

March 26, 2020

Principal Security Strategist

Synopsys CyRC

The primary potential tell-tale sign might be that the website itself doesn’t quite look “right”.

Online credit card skimming differs from the physical skimming practices most people have heard about in that there isn’t an obvious way the average person will be able to identify if or when a web site has been compromised. The primary potential tell-tale sign might be that the website itself doesn’t quite look “right”, though more sophisticated attacks can make even differentiating between a fake site and a legitimate one challenging. In the case of the Tupperware attack, the tell-tale sign is an error message when users enter their credit card information. Since credit card processing errors can and do occur, it would be incorrect to assume that all such errors represent an attack. So absent tell-tale signs of compromise, consumers should invest in protections for how they manage their credit cards rather than looking at the websites themselves. Consumers wishing to protect themselves from such attacks should think about: 1. Not storing their credit card information on any website. That’s because if the website could be hacked to install skimming software, it can probably be hacked to collect credit card information other ways 2. Using a third party one-time use payment method such as Apple Pay, Google Wallet or PayPal – however, they should confirm that the prompt from the web page presented by their chosen payment method looks and behaves normally. That’s because if the website could be hacked to install skimmers, then it likely can be hacked to redirect users to a fake payment portal 3. Enabling purchase alerts on all credit cards. This allows for immediate monitoring of purchases and helps shorten the length of time malicious actors can use a stolen card. This would be an effective method for the Tupperware attack scenario. 4. Disabling international purchases for all credit cards. This not only limits the ability for malicious actors to profit from the card, but also enables law enforcement to better prosecute perpetrators 5. Only making purchases at home or when connected to your cellular provider’s network. While coffee shops or other free WiFi locations are convenient, they carry the risk that someone has poisoned the DNS settings and can divert users to fake sites. Read Less

Justin Fox

March 27, 2020

Director of DevOps Engineering

NuData Security

Once the consumer payment card data has been skimmed by an attacker that payment card needs to be rendered inoperable.

Web skimmers or Magecart scripts work by taking advantage of an infrastructure vulnerability caused by misconfiguration. The misconfiguration enables an attacker to discover a potentially vulnerable website (using a shotgun approach) and upload the malicious code to service provider. To avoid this type of misconfigurations, it’s useful to comply with standardized security benchmarks – like the one from Center for Internet Security (CIS) which would enable an organization to validate their internal vulnerabilities. It’s also recommended to run a web application firewall with rules that cover common exploits as described by the Open Web Application Security Project (OWASP). Once the consumer payment card data has been skimmed by an attacker that payment card needs to be rendered inoperable. For businesses that accept payments online, the best way to mitigate financial or reputation damage from an attacker using breached consumer payment card data is by adopting a layered approach to security, applying in-depth defense. By adopting behavioral and passive biometrics technologies that identifying customers by their online behavior instead of relying on credentials or credit card numbers companies can verify a consumer or validate a transaction. This method allows companies to block transactions from credit cards that have been stolen without impacting consumers. Read Less

Mounir Hahad

March 26, 2020

Head

Juniper Threat Labs, Juniper Networks

Nonetheless, this may be the blueprint of future similar attacks on other web sites.

This does indeed sound like the work of a new cyber gang that has not scaled operations yet. The domain name they chose to register was not customized to blend in to their target victim’s normal web site operations and based on DNS resolution telemetry, it does not seem to have reached any meaningful scale. Nonetheless, this may be the blueprint of future similar attacks on other web sites.

Elad Shapira

March 27, 2020

Head of Research

Panorays

It's clear that companies must make sure to continuously assess the security of their supply chain partners.

This cyberattack on Tupperware illustrates why it’s so important for companies to keep checking their websites with a critical eye towards injected code. These silent and stealthy attacks are targeting not only retail sites, but also vendors, with the goal of infiltrating the entire supply chain. It's clear that companies must make sure to continuously assess the security of their supply chain partners, and not just during onboarding.

Gadi Naveh

March 27, 2020

Senior Security Researcher

PerimeterX

Fake checkout forms are a common method Magecart attackers use to get around the iframe protections.

Fake checkout forms are a common method Magecart attackers use to get around the iframe protections used by legitimate payment services. Skimming toolkits like Inter make this simple and accessible to all attackers. However, their one downside is that they prevent the legitimate transaction from being successfully completed. This attack added another step and reverted to the legitimate form once the payment details were stolen, allowing the user to complete a transaction in a second try. Our research shows that attackers are attempting to get to the crown jewel, a skimmer for hosted iframes that allows the real process to work seamlessly, evading any detection by the user or the website admin. For e-commerce businesses, detecting digital skimming and Magecart attacks requires behavioral analysis of all scripts running on critical web pages such as the payment page. Consumers are also cautioned to look for signs of compromise, such as failed transactions, or forms that look different from the rest of the website. Read Less

Matt Keil

March 27, 2020

Director of Product Marketing

Cequence Security

Standard server headers to block iframes would have stopped this attack.

Though the iframe injection was crafty, this type of attack should only work on websites that have implemented very few security measures. Standard server headers to block iframes would have stopped this attack. As we look at how Magecart attacks work, having a simple understanding of where your clients are being redirected is becoming necessary. 3rd party code is needed but it shouldn’t be an open attack vector whether it is placed on the website maliciously, brought in to the client via an iframe or has a legitimate use, organizations need to monitor how it is impacting their clients. Organizations need to take immediate steps to collect an accurate inventory of third-party resources and establish change control policies to validate new code insertion, updates and modifications to existing code. These steps will go a long way in reducing the digital skimming exposure. Read Less