The Magecart Group has revived its activity, with a skimmer placed on the website of blender manufacturer NutriBullet.
According to RiskIQ, the group is identified as Magecart Group 8, and RiskIQ was able to catch the attack as it happened. “Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims,” said Yonathan Klijnsma, head of threat research at RiskIQ.
According to an advisory on March 5, attackers placed the skimmer on the website and returned on March 10 to place a new skimmer as “the criminals still had access to NutriBullet's infrastructure and could continue to replace the skimmer domain in the code to make it work again.”
This followed an initial compromise on February 20, when the skimmer targeted the jQuery JavaScript library. RiskIQ said that this skimmer has been in use by Group 8 since at least 2018, whilst Group 8 has been active since 2016 and has reportedly compromised Amerisleep and MyPillow and Philippine broadcast company ABS-CBN in 2018.
RiskIQ said that Group 8’s preferred tactic is to focus on individual victims, rather than more widespread attacks.
The skimmer works by performing a check to see if the current page the browser is on looks like a payment page, and sets the top four variables to ensure that it's analyzing the right fields and the correct button for skimming. After it defines these variables and checks the browser's location, the top part of the skimming code grabs the field values — including some of the field names/IDs determined from the earlier defined variables — and puts all the data together. The skimmer then turns this data into a long text string that is encrypted before it goes off to the criminal-owned server.
“So far, we have observed this skimmer code on over 200 victim domains and have identified 88 unique actor-owned domains,” Klijnsma said.
RiskIQ named partners AbuseCH and ShadowServer who assisted in helping stop the active skimming on the site, but was critical of NutriBullet’s lack of response. Klijnsma said that RiskIQ researchers reached out to NutriBullet via their support channel and NutriBullet leadership via LinkedIn less than 24 hours after the incident, and continued outreach over the next three weeks.
Klijnsma said: “As of the date of this blog, our attempts at communication with NutriBullet have not been answered. The compromise is ongoing, and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers.
“The company continues to put its customers at risk by ignoring our communications and offers of help. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.”
Javvad Malik, Security Awareness Advocate at KnowBe4, said: “The fact that the website has been compromised three times in as many weeks would indicate some underlying flaw that needs to be addressed urgently.”
