- The checkout page on “tupperware.com” has been infected with card-stealing skimmers.
- The victims were urged to enter their payment details on a spoofed payment form loaded by a malicious image.
- The Magecart skimmer remained operational on the popular website for at least five days.
Researchers working for Malwarebytes have found card data-stealing skimmers on the online shop of “Tupperware,” one of the most widely known and trusted kitchen and household products makers. The discovery happened on March 20, 2020, and the researchers attempted to notify Tupperware of the risk. While they tried to reach the company via emails, phone calls, Twitter, and Linkedin, no representative answered them. It means that “tupperware.com,” a website that receives prodigious amounts of user traffic, remained a risk for its visitors, as the skimmer kept running on the checkout page, collecting customer payment data and card details.
More specifically, the actors managed to plant a script that loads an iframe container displaying a spoofed checkout page. There, the victims enter their first and last name, billing address, telephone number, credit card number, expiration date, and the CVV safety code, and everything is sent directly to the Magecart actors. The researchers noticed that the domain that receives this data was created on March 9, 2020, it is registered to a Russian email address, and it resides on a server were numerous phishing websites are also hosted.
Even if someone went through the trouble of inspecting the HTML source code of the Tupperware checkout page, they wouldn’t see the skimmer. It is because the malicious snippet is loaded dynamically in the Document Object Model. One giveaway of the form being fake is the fact that there has been no implementation of localization for different languages. The Tupperware website supports other languages besides English, so the payment form should not be limited to English only. While this might save clients that use different languages, most of the Tupperware traffic comes from the United States, so the skimmer could work well with the majority.