It has been reported that hackers have breached the website of Tupperware, a US company known for its plastic food container products, and placed malicious code on its website to collect payment card details from site buyers. The malicious code has been running on the Tupperware homepage for at least five days, according to security researchers. Every time a user initiates a payment, the malicious code creates an iframe that floats over the page and shows a cloned payment form that mimics Tupperware’s original VISA CyberSource payment form.
Fake checkout forms are a common method Magecart attackers use to get around the iframe protections used by legitimate payment services. Skimming toolkits like Inter make this simple and accessible to all attackers. However, their one downside is that they prevent the legitimate transaction from being successfully completed. This attack added another step and reverted to the legitimate form once the payment details were stolen, allowing the user to complete a transaction in a second try.
Our research shows that attackers are attempting to get to the crown jewel, a skimmer for hosted iframes that allows the real process to work seamlessly, evading any detection by the user or the website admin.
For e-commerce businesses, detecting digital skimming and Magecart attacks requires behavioral analysis of all scripts running on critical web pages such as the payment page. Consumers are also cautioned to look for signs of compromise, such as failed transactions, or forms that look different from the rest of the website.
Though the iframe injection was crafty, this type of attack should only work on websites that have implemented very few security measures. Standard server headers to block iframes would have stopped this attack. As we look at how Magecart attacks work, having a simple understanding of where your clients are being redirected is becoming necessary. 3rd party code is needed but it shouldn’t be an open attack vector whether it is placed on the website maliciously, brought in to the client via an iframe or has a legitimate use, organizations need to monitor how it is impacting their clients.
Organizations need to take immediate steps to collect an accurate inventory of third-party resources and establish change control policies to validate new code insertion, updates and modifications to existing code. These steps will go a long way in reducing the digital skimming exposure.
Web skimmers or Magecart scripts work by taking advantage of an infrastructure vulnerability caused by misconfiguration. The misconfiguration enables an attacker to discover a potentially vulnerable website (using a shotgun approach) and upload the malicious code to service provider. To avoid this type of misconfigurations, it’s useful to comply with standardized security benchmarks – like the one from Center for Internet Security (CIS) which would enable an organization to validate their internal vulnerabilities. It’s also recommended to run a web application firewall with rules that cover common exploits as described by the Open Web Application Security Project (OWASP).
Once the consumer payment card data has been skimmed by an attacker that payment card needs to be rendered inoperable. For businesses that accept payments online, the best way to mitigate financial or reputation damage from an attacker using breached consumer payment card data is by adopting a layered approach to security, applying in-depth defense. By adopting behavioral and passive biometrics technologies that identifying customers by their online behavior instead of relying on credentials or credit card numbers companies can verify a consumer or validate a transaction. This method allows companies to block transactions from credit cards that have been stolen without impacting consumers.
This cyberattack on Tupperware illustrates why it’s so important for companies to keep checking their websites with a critical eye towards injected code. These silent and stealthy attacks are targeting not only retail sites, but also vendors, with the goal of infiltrating the entire supply chain. It\’s clear that companies must make sure to continuously assess the security of their supply chain partners, and not just during onboarding.
This does indeed sound like the work of a new cyber gang that has not scaled operations yet. The domain name they chose to register was not customized to blend in to their target victim’s normal web site operations and based on DNS resolution telemetry, it does not seem to have reached any meaningful scale. Nonetheless, this may be the blueprint of future similar attacks on other web sites.