Tupperware, the venerable food container maker, has been hit by credit card skimmers on its e-commerce website.
Scammers infiltrated the company’s official site, which sees roughly one million visitors monthly, by hiding malicious code inside a PNG (image) file that activated a phony payment form, Malwarebytes first reported in a blog post. Customer information was heisted from unsuspecting users via a digital credit card skimmer, the report said. The security provider said it first noticed the data breach on March 20 in a routine web crawl.
The hacking crew made off with victims’ names, billing address, telephone number, credit card number, expiration date and card verification value (CVV). Malwarebytes said it didn’t know exactly how the hackers broke into the website. So far, there’s no evidence the robbers have used the stolen credentials but it’s highly likely some Tupperware customers will suffer financial damage, especially given the Covid-19 pandemic. The huge influx of shoppers relying on mail order transactions paid by credit cards is fertile ground for credit card skimmers.
It's not exactly like Tupperware immediately pounced on the compromise. Malwarebytes said the firm didn't respond to its March 20 phone calls, nor its emails and posts on Twitter and LinkedIn. However, as of March 25, 2020, the malicious PNG file had been removed, followed later by the JavaScript on Tupperware's homepage. To date, Tupperware’s website still makes no mention of an update or customer alert nor does its social media accounts have any posts along those lines.
Days later, the company did offer a non-detailed statement: “Tupperware recently became aware of a potential security incident involving unauthorised code on our US and Canadian e-commerce sites. As a result, we promptly launched an investigation, took steps to remove the unauthorised code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement.
“Our investigation is continuing and it is too early to provide further details. We anticipate providing all necessary notifications as we get further clarity about the specific timeframes and orders that may have been involved. We want to assure our customers that protecting their information is our top priority, and we will continue to work vigilantly to pursue this matter quickly to resolution.”
Apparently, the grifters put in a “fair amount of work” in the Tupperware breach to keep the swindle undetected for weeks, Malwarebytes said. Here’s a blow-by-blow rundown of the scam:
- Malwarebytes first noticed an iframe loaded from deskofhelp.com, which displays payment information to Tupperware shoppers, on the checkout page at the company’s sites worldwide. The domain raised a “few red flags."
- The website deskofhelp.com was created on March 9, 2020 and registered to [email protected], an email address with Russian provider Yandex. It seemed unusual for a U.S. site to have a Russian-generated payment form.
- The attackers didn’t apply the local language to the form. As Malwarebytes pointed out, while the localized Tupperware site is written in Spanish, the bogus rogue payment form was in English.
- The skim was executed when shoppers first enter their data into the rogue iframe. They're immediately shown an error, disguised as a session time-out. In the meantime, the page is reloaded with the legitimate payment form. Victims enter their credentials again but by then the thieves already have the user’s personal data. The stolen information is sent to the same domain used to host the rogue iframe.
Malwarebytes said its software protects users, including those running its free site, from the attack.
