Criminals hack Tupperware website with credit card skimmer

Criminals hack Tupperware website with credit card skimmer

Update (2): A spokesperson for Tupperware has given a public statement to Alex Scroxton, Security Editor at ComputerWeekly. You can read it here.

Update: Following our blog post, we continued to monitor the Tupperware website. As of 03/25 at 1:45 PM PT, we noticed that the malicious PNG file had been removed, followed later by the JavaScript that was present on the homepage.

On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered.

Threat actors compromised the official tupperware[.]com site—which averages close to 1 million monthly visits—as well as a few of its localized versions by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.

Digital credit card skimmers, also known as web skimmers, continue to be one of the top web threats we monitor at Malwarebytes. For the past several years, a number of criminals (usually tied to organized Magecart groups) have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers.

In light of the COVID-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward.

There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible. Below, we walk you through how we discovered the skimmer, and analyze the threat and its attack techniques.

Rogue iframe container

During one of our web crawls, we identified a suspicious-looking iframe loaded from deskofhelp[.]com when visiting the checkout page at tupperware[.]com. This iframe is responsible for displaying the payment form fields presented to online shoppers.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English:

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source” (in Google Chrome). It will open up a new tab showing the content loaded by deskofhelp[.]com.

There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English:

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

There are a few red flags with this domain name:

  • It was created on March 9, and as we see with many fraudulent websites, newly-registered domains are often used by threat actors prior to a new campaign.
  • It is registered to elbadtoy@yandex[.]ru, an email address with Russian provider Yandex. This seems at odds for a payment form on a US-branded website.
  • It is hosted on a server at 5.2.78[.]19 alongside a number of phishing domains.

Interestingly, if you were to inspect the checkout page’s HTML source code, you would not see this malicious iframe. That’s because it is loaded dynamically in the Document Object Model (DOM) only.

One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source” (in Google Chrome). It will open up a new tab showing the content loaded by deskofhelp[.]com.

There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English:

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

  • First and last name
  • Billing address
  • Telephone number
  • Credit card number
  • Credit card expiry date
  • Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png es.tupperware[.]com/media/wysiwyg/faq_icon.png  tupperware[.]ca/media/wysiwyg/faq_icon.png fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com 5.2.78[.]19

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher