More Business Websites Hit by Credit-card Skimming Malware

In the last few days it has come to light that blender manufacturer NutriBullet and guitar tuition website Truefire fell foul of hackers who planted Magecart-style malicious code on their sites which went undetected for months, stealing the credit card details and personal information from users.

Truefire realised it had suffered a security breach on January 10, 2020, and an investigation found that its website had been compromised since August 3, 2019.  Sensitive data related to guitar-playing pupils and their payment cards continued to be skimmed as it was entered onto the compromised website for a further four days.

Affected Truefire customers are only receiving a letter notifying them of the security breach now.  Users were directed to major credit-monitoring companies, and advised to keep a close eye on their finances for unusual transactions.


Disappointingly, there does not appear to be any mention of the incident on Truefire’s website.

Meanwhile, as TechCrunch reports, security researchers at RiskIQ discovered that the website of blender maker NutriBullet had been compromised in similar attacks over the past two months.

A malicious script planted on the NutriBullet website’s payment page stole credit card numbers, expiry dates, CVV codes, names, and addresses of unsuspecting blender buyers and sent it to a server under the control of cybercriminals.

According to the report, the sensitive data was then sold to other criminals on underground forums.

RiskIQ says that although NutriBullet has attempted to clean up the poisoned webpages, the attackers continue to break back in and plant malicious code – suggesting that the attackers continue to exploit a way of compromising the blender maker’s infrastructure.

Peter Huh, the CIO of NutriBullet, confirmed that a security breach had occurred and said that a forensic investigation into the incident had been initiated.  There is no word yet as to what plans NutriBullet has to inform affected customers.

In both cases it feels like the companies at the centre of the security breaches should be responding more transparently with their users, ensuring that they are informed promptly and given as much detail as possible about what has occurred.

Organisations which fail to communicate clearly and openly with their clients after a security breach risk doing serious harm to their reputation, and destroying any hard-earned trust they have built up with their customers over the years.

The attacks on NutriBullet and Truefire are, I’m afraid, only the tip of the iceberg.

Just last week, security researcher Jacob Pimental warned of 60 ecommerce sites that had been recently found to have fallen foul of Magecart.

In a typical data breach, hackers break into company servers, access databases and steal large amounts of information – perhaps including encrypted passwords, email addresses, telephone numbers, and maybe even limited financial details.

What you don’t normally see in a data breach, however, is full payment card information stolen – – such as your CVV security code – because most companies simply do not store such details.

That’s what makes Magecart so dangerous.  Magecart’s malicious Javascript skims credit card details and personal information as it is entered by users on websites.

Companies whose customers have been impacted by past Magecart attacks, including Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, the American Cancer Society… and many many more.

While the attacks continue to successfully steal users’ sensitive and easily-monetised data via company websites there is no prospect of the criminals behind them stopping any time soon.


*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Graham Cluley. Read the original post at: