Since February, a prominent Magecart cybercriminal group has injected the same Java-based payment card skimmer program not one, not two, but three times into the compromised international website of blender manufacturer NutriBullet, researchers from RiskIQ have reported.
Each time a skimmer was removed from nutribullet.com, the criminal actors, known as Magecart Group 8, would reintroduce a replacement skimmer into the breached web environment, according to RiskIQ threat researcher Yonathan Klijnsma, in a company blog post on Wednesday.
NutriBullet and its parent company Capital Brands on Wednesday told SC Media that it remedied the website compromise on March 17, but RiskIQ's report does not support this assertion. Rather, Klijnsma claims that NutriBullet did not respond to RiskIQ's multiple attempts at private disclosure over the course of roughly one month's time, and that it was RiskIQ who repeatedly took action to remove the attacker's exfiltration domain, with the help of anti-malware project Abuse.ch and the nonprofit Shadowserver Foundation.
"Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered," Klijnsma said the RiskIQ blog post. A PR representative for RiskIQ told SC Media that the company's account of what transpires still holds true.
And yet, that does not jibe with NutriBullet's take: "Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach," the corporate statement said. "The company’s IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication (MFA) as a further precaution. Our team will work closely with outside cybersecurity specialists to prevent further incursions."
RiskIQ says the first skimmer was observed in on Feb. 20 and removed no later than March 1; the second was added just four days later on March 5 and the third was installed on March 10.
In the first instance, the threat actor reportedly appended a skimmer -- one it has used since 2018 -- at the bottom of the NutriBullet website's jQuery library and has been used before by the group on more than 200 victim domains since 2018.
The adversary used the same skimmer in the second attack wave as well, but this time targeted a submodule for jQuery for injection and used a different exfiltration domain, the report continues.
The third time the skimmer was introduced, it was injected in yet another location, this time toward the top of the script. But they used an exfiltration domain that had already been removed. At that point, "We believe the attackers saw that traffic dropped and assumed NutriBullet had cleaned up its site. They then moved the skimmer elsewhere without realizing the domain was defunct," the blog post states.
"Magecart attacks continue to inject themselves into payment portals on websites, and show no signs of slowing down," said Javvad Malik, security awareness advocate at KnowBe4. It is why it's important for organizations to embed a culture of security so that each team takes on the responsibility not just to embed security in design and deployment, but [also to] factor in continuous security assurance so that any unauthorized changes can be quickly detected and investigated."
"Magecart attacks are reaching fever pitch with multiple attackers using a variety of techniques to compromise websites and steal credit card numbers," added Ameet Naik, security evangelist at PerimeterX. "This attack was persistent, with a strong foothold on the website. The attack kept streaming out the stolen data even after several takedown attempts by a third party. Businesses need to be faster to react to attacks in order to avoid negative brand impact and to ensure the protection of customer data. As most consumers are now shopping from home, keeping a safe online shopping experience is a must to businesses looking for continuity."