Hackers specifically targeted the checkout page of the website, where customers enter their payment card details.
After identifying the attack, RiskIQ researchers alerted NutriBullet via its support channel, but they didn't get any response from the company.
RiskIQ researchers then decided to take the initiative and neutralise the attack. With the help of Swiss security site AbuseCH and the Shadowserver Foundation, they were finally able to demolish the data exfiltration domain that hackers used to receive the stolen card data.
The skimmer used by hackers was also removed from nutribullet.com on 1st March.
However, by 2nd March, scammers had created a new domain to receive stolen data. On 7th March, they launched their second attack against Nutribullet and were able to insert again card-skimming malware on the website.
According to researchers, Magecart Group 8 has been using this specific malware since 2018. The group itself has been active since 2016 and has targeted several well-established brands in past three years.
RiskIQ researchers dismantled hackers' data exfiltration domain again, but they appeared for the third time on 10th March.
The researchers warn that compromise was on-going at the time of publication of their latest report.
In a statement, NutriBullet said that it has already launched an investigation to determine how attackers were able to compromise its website and insert the malicious code on to it. The company is also updating its security policies to include Multi-Factor Authentication as a further precaution.
"Our team will work closely with outside cyber security specialists to prevent further incursions," NutriBullet said.
"We thank RiskIQ for bringing this issue to our attention."
According to security researchers, the number of Magecart attacks has intensified over the past two years.
In October last year, researchers warned that up to 20,000 ecommerce websites were at risk of Magecart attacks following Volusion server compromise.
In 2018, a Magecart attack on British Airways compromised credit card details of around 500,000 customers.
Security researchers also warned in September that threat actors were attempting to bring old Magecart web domains back to life in renewed malvertising and ad fraud campaigns.
Eighty-five per cent of Microsoft Exchange Servers vulnerable to remote-code execution security flaw patched last month
Organisations warned to patch protect against CVE-2020-0688 as state-backed APTs start targeting vulnerable Exchange Servers
The watering-hole attacks might be on-going for the past several months, the researchers warn
ENTSO-E's members include 42 electric transmission industry operators across 35 European countries
Redcar and Cleveland Council expelled public and press from council meeting discussing ransomware outbreak
Public and press thrown-out of resources committee meeting last week because ‘sensitive’ information about ransomware attack would be discussed
The industrial giant claims that the Ryuk ransomware attack took place in mid-February