Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims

On Thursday, February 20th, around 3 pm GMT, criminals RiskIQ identifies as Magecart Group 8 placed a JavaScript skimmer on the international website for blender manufacturer NutriBullet, nutribullet.com. Our systems caught the attack as it happened and continue to detect new developments.

After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.

On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet’s infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.

As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals. 

The First Skimmer

On Thursday, February 20th, around 3 pm GMT, criminals inserted a skimmer on the NutriBullet website. To make sure the skimmer got on a payment page, they targeted a resource that all pages on the site use, the jQuery JavaScript library. This resource was located at:

https://www.nutribullet.com/wp-includes/js/jquery/jquery.js

The actors appended the skimmer at the bottom of the jQuery library:

First Magecart skimmer

The skimmer is one with which RiskIQ is familiar. It has been in use by Group 8 since at least 2018. The group itself has been active since 2016. Group 8 is responsible for many victims, but followers of our Magecart reporting will recognize them from compromises of bedding and pillow manufacturers Amerisleep and MyPillow and Philippine broadcast company ABS-CBN, both in 2018. So far, we have observed this skimmer code on over 200 victim domains and have identified 88 unique actor-owned domains.

Here, we’ll explain the skimmer in two parts and stick with the main skimmer code (omitting some of the utility functions used for data encryption).

The first part of the skimmer is what we call the configuration block and the “page check.” Here, the skimmer performs a quick check to see if the current page the browser is on looks like a payment page. It also defines the variables needed for skimming the data correctly:

This part of the skimmer performs checks

The skimmer sets the top four variables to ensure that it’s analyzing the right fields and the correct button for skimming. We’ll get into them more a bit later. 

The code below these variables is the page check. With a simple regex, the skimmer confirms if it is on a page that looks to be a payment/checkout page. If so, it checks if the variables are correctly defined so the skimmer will work. If everything checks out, it will call the actual skimming function after a small delay.

After it defines these variables and checks the browser’s location, the second part, skimming code, will kick in:

Skimming code

The skimming code is simple. The top part grabs the field values—some of the field names/IDs come from the earlier defined variables—and puts all the data together. The skimmer then turns this data into a long text string that is encrypted before goes off to the criminal-owned server.

Some readers might recognize the exfiltration path of /tr/, which has come up before. As we noted previously, this skimmer is not new to RiskIQ, and we have observed it exfiltrate data to the following servers:

  • https://prodealscenter.com/tr/
  • https://freshdepor.com/tr/
  • https://swappastore.com/tr/
  • https://coffemokko.com/tr/

The attackers have been using the domain involved in the NutriBullet attack for quite some time—NutriBullet is far from their only victim.

The Second Skimmer

Group 8 operatives placed a second skimmer on the NutriBullet website on March 5th around 7 pm GMT—only a few days after we neutralized the first exfiltration domain. This time, they targeted a different resource, a submodule for jQuery:

https://www.nutribullet.com/wp-content/themes/nutribullet/resources/assets/scripts/lib/jquery.validate.min.js

Again, Group 8 operatives appended the skimmer at the end of the file:

The second skimmer added to the NutriBullet site

The skimmer here is the same as when we described it in the first incident, with one change. Due to our takedown, the actors set up a new domain for exfiltration a day after we took down their first. The new exfiltration URL in the skimmer is:

https://webanalyzer.net/tr/

The fact that this domain was set up on March 2nd, the day after the first skimmer was removed, tells us it might well have been the attackers who removed the skimmer after we killed off their domain.

For this domain takedown, we again worked with our partners at AbuseCH and ShadowServer to kill stop the active skimming on the site, without the assistance of NutriBullet. The company continues to put its customers at risk by ignoring our communications and offers of help.

The Third Skimmer

Because we are keeping an active watch on the NutriBullet store, we saw that the attackers were back on March 10th around 9 pm GMT with another skimmer. This time they injected it at:

https://www.nutribullet.com/wp-content/themes/nutribullet/dist/scripts/main-build-8a9adc31.js

This time, the attackers did not append the skimmer at the end of the script. Instead, we found it near the top. It was the same skimmer with the same obfuscation:

The third Skimmer

The exfiltration URL used for this was:

https://webanalyzer.net/tr/

At the time the attackers placed the skimmer in this new script, we had already taken down the domain they used for receiving data. We believe the attackers saw that traffic dropped and assumed NutriBullet had cleaned up its site. They then moved the skimmer elsewhere without realizing the domain was defunct.

Group 8 Has Been Busy

While we haven’t published on Group 8 since 2018, they have been extremely active. Their preferred tactic is focusing on individual victims, avoiding the “shotgun approach” many other Magecart groups take, where they compromise many sites at once and hope for at least one worthwhile victim. Instead, Group 8 attacks and skims specific sites they seem to cherry-pick for a particular purpose. 

In 2019, we observed Group 8 target a national diamond exchange. The attackers were able to hit all the exchange’s localized websites at the same time. Each of these sites was designed for a different city in which it has an office, and all follow a general pattern, <cityname>diamonddistrict.com. Each of these sites also run on the same backend, which means that after Group 8 compromised one site and placed their skimmer in a JavaScript file on the server, they could skim them all. Magecart observed a similar incident involving Magecart Group 11.  

The compromise of this diamond exchange began in July 2019 and was cleaned up sometime in November 2019. The following stores were hit:

  • nycdiamonddistrict.com
  • arizonadiamonddistrict.com
  • virginiadiamonddistrict.com
  • sanfranciscodiamonddistrict.com
  • chicagodiamonddistrict.com
  • philadelphiadiamonddistrict.com

IOCs:

https://community.riskiq.com/projects/6e78f09d-3081-f3aa-0a91-f4e7f5195c78 

Conclusions

The attack on NutriBullet represents one more of thousands of Magecart breaches on well-established brands that garner thousands of site visitors each week.

RiskIQ now detects several Magecart breaches every hour and has observed Magecart skimmers in the wild millions of times. With that kind of volume, it’s not surprising that Magecart operatives continue to pop up in unexpected places as they work hard to get a piece of the trillions of dollars consumers spend in e-commerce every year.

Highly targeted, highly technical breaches may become a trend. As we saw in the attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website. Operatives with the right acumen and enough time will find them. 

Unfortunately, given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities. They’re learning from past attacks to stay one step ahead, so it’s on the security community to do the same. Make sure you’re staying up to date by reading all our findings on Magecart and stay tuned as we continue to shine a light on new developments. Also, find out how RiskIQ protects customers by reading up on our JavaScript Threats Module here

* RiskIQ researchers reached out to NutriBullet via their support channel and NutriBullet leadership via LinkedIn less than 24 hours after the incident and continued outreach over the next three weeks. As of the date of this blog, our attempts at communication with NutriBullet have not been answered. The compromise is ongoing, and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers. 

The post Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims appeared first on RiskIQ.

Article Link: https://www.riskiq.com/blog/labs/magecart-nutribullet/