If you recently bought something from Tupperware.com, you may want to check your credit card statement. According to security researchers, the company’s website was hacked to secretly steal payment card numbers from customers.
On Friday, antivirus firm Malwarebytes noticed that Tupperware.com was hosting a "credit card skimmer,” which would activate during the checkout process. The skimmer works by creating a dummy payment form that’ll pass your credit card number, expiration date, and CVV code to a hacker-controlled internet domain.
The same skimmer will also collect your full name, billing address, and telephone number, giving the hackers all the information needed to make fraudulent credit card charges.
How the hackers compromised Tupperware.com remains unclear. But Malwarebytes found evidence the site is running an outdated version of Magento Enterprise, an e-commerce software platform that cybercriminal gangs often target.
In this case, the hackers hid their attack on Tupperware’s website by using an image PNG file that secretly contains malicious computer code. The PNG file itself pretends to be an FAQ image icon. However, it will also trigger the Tupperware site to load the dummy payment form during the checkout process.
According to Malwarebytes, there’s only one noticeable flaw to the attack. “The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages,” wrote company researcher Jerome Segura. “For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English.”
Malwarebytes has been trying to alert Tupperware about the credit card skimmer since the discovery. However, its attempts to reach out to the company via phone call, email, and social media have resulted in no response. So on Wednesday, Malwarebytes published a blog post about the credit card skimmer to warn the public.
“Following publication of the blog, we noticed that the malicious PNG file has been removed. This will break the skimmer,” Malwarebytes said in a follow-up tweet. “However, other artifacts remain present and a full security sweep will be necessary.”
Tupperware did not immediately respond to a request for comment. According to Malwarebytes, the site was likely first breached on March 9.
Further Reading
- Microsoft: Windows Flaw Lets Hackers Use Fonts to Create Booby-Trapped Documents
- Don't Get Scammed: 5 Security Tips for Work-From-Home Professionals
- Do I Need a VPN at Home?
- FCC: Watch Out for Robocall Scams Offering Fake Coronavirus Test Kits
- More in Security