Magecart hackers have struck again, this time targeting the NutriBullet website.
According to new research by security firm RiskIQ, hackers broke into the blender maker’s website several times over the past two months, injected malicious credit card-skimming malware on its payment pages and siphoned off the credit card numbers and other personal data — like names, billing addresses, expiry dates and card verification values — of unsuspecting blender buyers.
The data was scraped and sent to a third-party server operated by the attackers. The stolen credit card data is then sold to buyers on dark web marketplaces.
NutriBullet fought back each time by removing the malicious code each time. But RiskIQ said that the hackers still have access to the company’s infrastructure, with its hackers targeting NutriBullet’s website as recently as last week.
RiskIQ head of threat research Yonathan Klijnsma warned against using the site until the company “acknowledges our outreach and performs a cleanup.”
NutriBullet’s chief information officer Peter Huh confirmed the intrusions and that it had “launched forensic investigations” into the incident, and claimed it will “work closely with outside cybersecurity specialists to prevent further incursions,” but did not name the outside firm.
Huh and a spokesperson declined to answer our questions, specifically if customers would be notified of the security incident.
It’s the latest attack by Magecart, a group of groups rather than a single entity of hackers, all of which have different motivations and targets, but all of which use largely the same tactics and techniques. There are eight known Magecart groups focused on stealing credit card numbers for profit, according to Klijnsma.
With the help of security outfits AbuseCH and Shadowserver, RiskIQ began efforts to take down the malicious domain that the hackers were using to send stolen credit card numbers. But Klijnsma acknowledged that the group, still with access to NutriBullet’s infrastructure, can keep spinning up new malicious domains and re-infecting the site with credit card-scraping malware.
“They’re learning from past attacks to stay one step ahead,” said Klijnsma. “It’s on the security community to do the same.”