Steganographic techniques were used to create a fake payment form to steal data before handing control back to the real payment form!
On March 20, a targeted cyberattack against household brand Tupperware and its associated websites was started, and it is still active today.
Cybersecurity specialist MalwareBytes had discovered this attack and did attempt to alert Tupperware immediately, without response.
Threat actors had compromised the official Tupperware site—which averages close to 1 million monthly visits—as well as a few of its localized versions by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.
Digital credit card skimmers, also known as web skimmers, continue to be one of the top web threats monitored at Malwarebytes. For the past several years, a number of criminals (usually tied to organized Magecart groups) have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers.
In recent months, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward.
There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible. Following are the workings of the hack.
Rogue iframe container
During one of MalwareBytes’ routine web crawls, they identified a suspicious-looking iframe loaded when visiting the checkout page at the Tupperware site. This iframe is responsible for displaying the payment form fields presented to online shoppers.
There are a few red flags with this domain name:
- It was created on March 9, and as is common on many fraudulent websites, newly-registered domains are often used by threat actors prior to a new campaign.
- It is registered to elbadtoy@yandex[.]ru, an email address with Russian provider Yandex. This seems at odds for a payment form on a US-branded website.
- It is hosted on a server at 5.2.78[.]19 alongside a number of phishing domains.
Interestingly, if you were to inspect the checkout page’s HTML source code, you would not see this malicious iframe. That is because it is loaded dynamically in the Document Object Model (DOM) only.
One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source” (in Google Chrome). It will open up a new tab showing the content loaded by deskofhelp[.]com.
There is one small flaw in the integration of the credit card skimmer: The attackers did not carefully consider (or perhaps did not care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English.
More trickery to dupe shoppers
The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.
This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.
Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: MalwareBytes has contacted Visa, which owns CyberSource, to report this abuse as well.
You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.
The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:
- First and last name
- Billing address
- Telephone number
- Credit card number
- Credit card expiry date
- Credit card CVV
Another case of steganography
In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by the Tupperware website including image files.
This process can be time-consuming but is necessary to figure how the rogue iframe is injected. MalwareBytes found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.
Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts that have been encoded.
At this point, MalwareBytes did not yet know what the code was meant to do, but they could tell it was some kind of steganographic attack, a technique observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.
Once the researchers got past that hurdle, they could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page.
There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.
The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.
The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.
Site compromise
One question researchers have not figured out yet is how the malicious PNG image is loaded. They know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.
To make identification slightly more difficult, the code has been broken down. However, the threat hunters reconstructed it to see how the URL loading the PNG file is built by using string concatenation, for instance.
This code is helpful to determine a time frame for when the website compromise happened. Although MalwareBytes do not have the archives, they know from external sources, such as this WayBackMachine crawl, that the code was not present in February.
The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.
Researchers do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.
Disclosure and protection
Upon identifying this compromise, the team called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, they could not get any response at the time.
Subsequently, a spokesperson for Tupperware had given a public statement to Alex Scroxton, Security Editor at ComputerWeekly. The company stated that it has removed the card skimmer and attempted to reassure customers of the breach. “Our investigation is continuing and it is too early to provide further details. We anticipate providing all necessary notifications as we get further clarity about the specific timeframes and orders that may have been involved. We want to assure our customers that protecting their information is our top priority, and we will continue to work vigilantly to pursue this matter quickly to resolution.”
As of 03/25 at 1:45 PM PT, MalwareBytes noticed that the malicious PNG file had been removed, followed later by the JavaScript that was present on the homepage.