Fraud Attack

Magecart Hackers Hit NutriBullet Website Multiple Times


Hackers identified as being part of Magecart Group 8 attacked NutriBullet’s website multiple times during the last few months, according to new RiskIQ research released on Wednesday (March 18).

The group injected malicious credit card-skimming malware on the blender maker’s payment pages and swiped personal details like card numbers, names, billing addresses, expiration dates and card verification numbers.

The attackers first hit on Feb. 20 and placed a JavaScript skimmer on the website, RiskIQ discovered. It was removed by March 1, but another was added March 5 with a new script and on March 10, the attackers added another skimmer in another script. The cybersecurity firm believes there are still vulnerabilities.

“After multiple attempts to contact NutriBullet and receiving no response, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims,” RiskIQ said.

Magecart Group 8 has been active since 2016 and hacked at least 200 domains many victims, and created 88 unique actor-owned domains. Other victims include Amerisleep, MyPillow and Philippine broadcast company ABS-CBN. The group also targeted a diamond exchange that involved six merchants from six different states.

“Group 8 attacks and skims specific sites they seem to cherry-pick for a particular purpose,” RiskIQ said. 

The San Francisco-based startup said it detects multiple Magecart breaches every 60 minutes.

“Unfortunately, given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities. They’re learning from past attacks to stay one step ahead, so it’s on the security community to do the same,” the cybersecurity firm said.

RiskIQ head of threat research Yonathan Klijnsma told TechCrunch that people should avoid the NutriBullet website until the company “acknowledges our outreach and performs a cleanup.”

Peter Huh, chief information officer at NutriBullet, confirmed the attacks to the news outlet and said it “launched forensic investigations” into the incident. He said the company will “work closely with outside cybersecurity specialists to prevent further incursions.”

RiskIQ was founded in 2009 by Brad Byrd, Chris Kiernan, David Pon and Elias Manousos. The firm protects the websites of eight of the 10 largest financial institutions in the U.S. and five of the nine leading internet companies worldwide. 


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.