Skip to content ↓ | Skip to navigation ↓

Digital attackers compromised the website of kitchen and household products manufacturer Tupperware with a credit card skimmer.

On March 20, researchers at Malwarebytes observed that attackers had compromised tupperware[.]com by hiding malicious code within an image file. This code activated when a user attempted to check out and complete their purchase on Tupperware’s online store. At that time, it displayed a fraudulent form as an iframe for the purpose of collecting a user’s credit card credentials.

A closer look at this incident revealed that the iframe had loaded from deskofhelp[.]com. Registered on March 9 by someone using the email address elbadtoy@yandex[.]ru, this domain was located on a server at 5.2.78[.]19 along with other phishing domains at the time of discovery.

One someone had filled in their payment card details, the iframe displayed a “Session timed out” error message. It then reloaded the page with the website’s legitimate payment form while it secretly exfiltrated the user’s information to the attackers.

The fake payment form loaded as an iframe on Tupperware’s website. (Source: Malwarebytes)

After contacting Tupperware, Malwarebytes noticed that someone had removed the malicious image file and the JavaScript that was present on the homepage on March 25.

A day later, a spokesperson for the company shared a statement with Computer Weekly:

Tupperware recently became aware of a potential security incident involving unauthorised code on our US and Canadian e-commerce sites. As a result, we promptly launched an investigation, took steps to remove the unauthorised code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement.

Our investigation is continuing and it is too early to provide further details. We anticipate providing all necessary notifications as we get further clarity about the specific timeframes and orders that may have been involved. We want to assure our customers that protecting their information is our top priority, and we will continue to work vigilantly to pursue this matter quickly to resolution.

News of this attack comes approximately one month after scammers disguised two domains as a content delivery network (CDN) in an attempt to quietly target visitors with a credit card skimmer.