NutriBullet Experiences Multiple Magecart Skimmer Infections

The Magecart Group has revived its activity, with a skimmer placed on the website of blender manufacturer NutriBullet.

According to RiskIQ, the group is identified as Magecart Group 8, and RiskIQ was able to catch the attack as it happened. “Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims,” said Yonathan Klijnsma, head of threat research at RiskIQ.

According to an advisory on March 5, attackers placed the skimmer on the website and returned on March 10 to place a new skimmer as “the criminals still had access to NutriBullet's infrastructure and could continue to replace the skimmer domain in the code to make it work again.”

This followed an initial compromise on February 20, when the skimmer targeted the jQuery JavaScript library. RiskIQ said that this skimmer has been in use by Group 8 since at least 2018, whilst Group 8 has been active since 2016 and has reportedly compromised Amerisleep and MyPillow and Philippine broadcast company ABS-CBN in 2018.

RiskIQ said that Group 8’s preferred tactic is to focus on individual victims, rather than more widespread attacks.

The skimmer works by performing a check to see if the current page the browser is on looks like a payment page, and sets the top four variables to ensure that it's analyzing the right fields and the correct button for skimming. After it defines these variables and checks the browser's location, the top part o ..

Support the originator by clicking the read the rest link below.