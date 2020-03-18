The NutriBullet website has been compromised by credit card stealing hackers

Threat researchers at security company RiskIQ have identified a cyber-attack against blender vendor NutriBullet that has successfully installed credit-card stealing malware on the international nutribullet.com website. Not just once, but three times within three weeks.

The NutriBullet website card-skimming compromise

The attacks appear to have started on February 20 when, RiskIQ said, criminal actors identified as Magecart Group 8 installed credit card skimmer malware on the nutribullet.com website. The malware, a JavaScript-based skimmer, is one that RiskIQ has seen being used by Magecart Group 8 since 2018. The group itself has been active since 2016 and targets well-established brands.

RiskIQ said that it attempted to alert NutriBullet to the attack via both the NutriBullet support channel and NutriBullet leadership via LinkedIn within 24 hours of the incident. Having received no response to these communication attempts, RiskIQ said, it took the initiative itself. It led the takedown of the data exfiltration domain, with the help of AbuseCH and ShadowServer, being used by the cyber-criminals to receive the stolen card data.

Magecart Group 8 return again and again

The malware skimmer had been removed from nutribullet.com on March 1, RiskIQ said, but on March 7, the attackers struck again with a second insertion of card-skimming malware on the site. The RiskIQ report suggests that as the new exfiltration domain being used by the second skimmer was set up on March 2, the day after the first skimmer was removed, “it might well have been the attackers who removed the skimmer after we killed off their domain.” RiskIQ said it, again without the assistance of NutriBullet, worked with the same partners to take down the new domain.

By now, RiskIQ was keeping a close eye on the NutriBullet store, and on March 10, the attackers were back with yet another, the third in three weeks, card-skimmer malware compromise.

The NutriBullet hacking confirmation

As soon as RiskIQ reached out to me concerning the attacks, on March 17, I contacted NutriBullet via their PR agency. A NutriBullet spokesperson supplied me with the following statement:

“NutriBullet takes cybersecurity and personal privacy extremely seriously and is dedicated to the protection of our customers. Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach. The company’s IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution. Our team will work closely with outside cybersecurity specialists to prevent further incursions. We thank RiskIQ for bringing this issue to our attention.”

What that statement did not address, however, is why the attempts to notify NutriBullet back in February when the site compromise was first spotted went unanswered. I asked what the reason for this alleged lack of communication with the security researchers might have been but have yet to receive an answer. The official statement suggests NutriBullet first learned of the compromise on February 17, the same day that I contacted it for comment. While it is, of course, good news that the malware has been removed from nutribullet.com once again and steps put into place to prevent it coming back, I hope that NutriBullet also investigates why communication channels appear to have failed in this case.

Magecart attacks likely to continue and evolve

Yonathan Klijnsma, head of threat research at RiskIQ, said, “Unfortunately, given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities. They’re learning from past attacks to stay one step ahead.” When you consider that the FBI recently warned the total cost of reported internet crimes across 2019 was a mind-boggling $3.5 billion (£2.9 billion) the motivation is plain to see.

The RiskIQ report into this incident is due to be published later today, February 18.

