Recently, US-based online store popular for kitchenware, ‘Tupperware’, has suffered a cyber attack. As discovered by researchers, hackers placed a credit card skimmer on the Tupperware website to steal customers’ data. The attack continued for a while before the vendors could fix it.
Credit Card Skimmer Attack On Tupperware
Researchers from Malwarebytes Labs reportedly found the credit card skimmer running on the Tupperware website. As revealed in their blog post, they found the skimmer codes running on the payment page of the tupperware[.]com and related websites.
In brief, the malicious code running on the site was used to display false payment forms to customers overlaid on the site. Hence, the user could enter the payment card details into that form instead of the original one. As explained by the researchers,
During one of our web crawls, we identified a suspicious-looking iframe loaded from deskofhelp[.]com when visiting the checkout page at tupperware[.]com. This iframe is responsible for displaying the payment form fields presented to online shoppers.
Source: Malwarebytes Labs
What’s different with this skimmer attack is that the attackers ensured keeping the code hidden during random HTML page inspection. Nonetheless, clicking on ‘View frame source’ revealed the malicious source deskofhelp[.]com loading the iframe.
Source: Malwarebytes Labs
The attackers made another blunder when injecting the same code to all localized pages as well. For instance, the payment form remained in English even on the Spanish version of the website bearing the Spanish language.
Source: Malwarebytes Labs
At the end of the attack, the attackers made sure not to alert victim customers. Hence, soon after a customer would enter the card details, the page would reload with an error to present the original payment form to the user to re-enter the information. Hence, the victim would never detect the matter to be a cyber attack.
As a result of this attack, customers who made purchases on the site during the attack period may have lost their information to attackers. The lost details include first and last names, telephone number, billing address, credit card number, CVV, and expiration date.
Tupperware Issues A Statement
Upon detecting the attack, the researchers quickly prompted Tupperware regarding the incident. However, it took a few days for the company to acknowledge and address the matter.
As quoted by ComputerWeekly, Tupperware spokesperson has now provided them with the following statement upon request. In it, the official confirmed fixing the matter by removing the malicious code.
Tupperware recently became aware of a potential security incident involving unauthorised code on our US and Canadian e-commerce sites. As a result, we promptly launched an investigation, took steps to remove the unauthorised code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement.
The vendors expressed their inability to share more details about the incident as they continue with their investigations. Though, they have reassured customers of their vigilance towards protecting customers’ data, yet, they haven’t publicly disclosed the incident on their website or social media account.
Let us know your thoughts in the comments.