The Magecart hacker consortium is at it again, this time aiming their efforts at the NutriBullet website. They are usually involved in attacking shopping cart systems, most often the Magento system to get away with payment card information.
According to the research done by security company RiskIQ, hackers made it into the blender maker website multiple times over the last two months. They managed to inject malicious card-skimming malware on the payment pages, stealing credit card numbers, names, addresses, verification values, and more. That happened while the clients of the company were unaware of the intrusion. The same was true of the company itself before they caught wind of it all. The data was taken and sent to a third party server the attackers controlled. The stolen information is then usually sold and sent off to buyers on dark web marketplaces.
NutriBullet fighting against numerous intrusions
NutriBullet was fighting back against the intrusions by removing the malicious code upon discovery. RIskIQ mentioned the hackers still had access to the company infrastructure, which made it possible to attack the NutriBullet website again and again. RiskIQ's head of threat research Yonathan Klijnsma warned users against using the website until the company manages to perform a cleanup.
NutriBullet's Peter Huh, chief information officer, confirmed the intrusions and said they are investigating the matter. The company will work closely with outside cybersecurity specialists to make sure further intrusions are stopped.
That was the latest attack done by Magecart, the group, or possibly groups of hackers behind the collective. All of those attacks have similarities in motivation and targets, tactics, and techniques used in the acts. There are eight known Magecart groups so far, according to Klijnsma, all focused on stealing credit card information for profit.
Hackers who were associated with the Magecart collective were seen hitting various companies, such as British Airways, Ticketmaster, consumer electronics company Newegg. They even attacked the American Cancer Society, among other targets.
Using the help of other security outfits, specifically Shadowserver and AbuseCH, RiskIQ managed to take down the malicious domain the Magecart collective was using to send off their stolen credit card information. According to RiskIQ, the group still has access to the NutriBullet infrastructure, so they could probably still keep making new malicious command-and-control domains they can use to reinfect the site with more card-scraping malware.
The many groups of Magecart are operating separately?
The Magecart collective has several groups identified as part of its makeup. What is now called Group 1 was seen active as early as 2014. They targeted thousands of websites with attacks and malware. Their goal was collecting data at the time, with Group 2 and Group 3 following suit. They had increased reach and attacks that went after card skimming malware and a wider range of payment providers.
Group 4, on the other hand, took on the bulk of the victims of the collective attacks. More than 3000 websites were hacked, the group taking as many card details from as many sites as possible.
The most high-profile victims belonged to the operations of Group 5. They managed to carry out supply chain attacks against third-party code providers. These were aimed at customer service chat boxes, ones present on many corporate websites. The attacks were carrying the malware attack the group had in mind. That allowed the group to expand its attacks on a massive scale. Group 6 had a focus on specific significant players such as Newegg and British Airways.