Magecart group targets NutriBullet website to steal customers' payment data details

The first attack was launched last month, and the compromise is still on-going

The website of NutriBullet, the fashionable maker of the eponymous blender, has been compromised by a group classified as Magecart Group 8. Magecart attacks typically target organisations' payment pages, taking advantages of insecurities in ecommerce software to make subtle changes to check-out JavaScript in order to be able to steal payment card details.

That is according to the researchers from security firm RiskIQ, who revealed that the first attack against Nutribullet website was launched on 20^th February, in which hackers were able to insert a JavaScript-based credit card skimmer on the website.

Hackers specifically targeted the checkout page of the website, where customers enter their payment card details.

After identifying the attack, RiskIQ researchers alerted NutriBullet via its support channel, but they didn't get any response from the company.

RiskIQ researchers then decided to take the initiative and neutralise the attack. With the help of Swiss security site AbuseCH and the Shadowserver Foundation, they were finally able to demolish the data exfiltration domain that hackers used to receive the stolen card data.

The skimmer used by hackers was also removed from nutribullet.com on 1^st March.

However, by 2^nd March, scammers had created a new domain to receive stolen data. On 7^th March, they launched their second attack against Nutribullet and were able to insert again card-skimming malware on the website.

According to researchers, Magecart Group 8 has been using this specific malware since 2018. The group itself has been active since 2016 and has targeted several well-established brands in past three years.

RiskIQ researchers dismantled hackers' data exfiltration domain again, but they appeared for the third time on 10^th March.

The researchers warn that compromise was on-going at the time of publication of their latest report.

In a statement, NutriBullet said that it has already launched an investigation to determine how attackers were able to compromise its website and insert the malicious code on to it. The company is also updating its security policies to include Multi-Factor Authentication as a further precaution.

"Our team will work closely with outside cyber security specialists to prevent further incursions," NutriBullet said.

"We thank RiskIQ for bringing this issue to our attention."

According to security researchers, the number of Magecart attacks has intensified over the past two years.

In October last year, researchers warned that up to 20,000 ecommerce websites were at risk of Magecart attacks following Volusion server compromise.

In 2018, a Magecart attack on British Airways compromised credit card details of around 500,000 customers.

Security researchers also warned in September that threat actors were attempting to bring old Magecart web domains back to life in renewed malvertising and ad fraud campaigns.