Tupperware fixes hacked site, but questions remain over response

Tupperware has removed a digital credit card skimmer from its e-commerce website and attempted to reassure customers that it takes their personal security seriously, despite having apparently rebuffed attempts by Malwarebytes threat researchers to inform it of the danger over several days.

Yesterday, Malwarebytes revealed that an active credit card skimmer was present on Tupperware’s e-commerce website, and had been siphoning off customers’ personal and financial information for more than a fortnight. Malwarebytes also said that despite contacting Tupperware through multiple channels, its disclosures were ignored.

Shortly after publication, Malwarebytes’ threat intel team said on Twitter that the malicious file had been removed from Tupperware’s site, which meant the skimmer was now broken, but said other artefacts remained. Following an apparent further sweep of the website, these have now disappeared, too.

Overnight, Tupperware responded to requests for comment with a statement. A spokesperson for the kitchenware retailer said: “Tupperware recently became aware of a potential security incident involving unauthorised code on our US and Canadian e-commerce sites. As a result, we promptly launched an investigation, took steps to remove the unauthorised code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement.

“Our investigation is continuing and it is too early to provide further details. We anticipate providing all necessary notifications as we get further clarity about the specific timeframes and orders that may have been involved. We want to assure our customers that protecting their information is our top priority, and we will continue to work vigilantly to pursue this matter quickly to resolution.”

However, at the time of writing, Tupperware had not publicly disclosed that it had fallen victim to a cyber attack. The firm’s website still displays no update or alert, and the company’s social media accounts make no mention of the incident, meaning that customers who are not plugged into the technology news cycle still appear to be largely unaware that their information may have been compromised.

In the absence of guidance or disclosure from Tupperware, Tim Mackey, principal strategist at Synopsys’ Cyber Security Research Centre, shared some tips on how consumers who want to protect themselves from this type of attack can best do so.

“Consumers should think about not storing their credit card information on any website,” he said. “That is because if the website could be hacked to install skimming software, it can probably be hacked to collect credit card information other ways.”

Mackey advised using a third-party, one-time use payment method, such as Apple Pay, Google Wallet or PayPal – although, if doing so, it is important for users to confirm that the prompt from the web page presented from their chosen method looks and behaves normally, again because if Tupperware’s security is so lax that skimmers can easily be installed, it would be a simple matter to redirect users to a fake payment portal.

More widely, said Mackey, it is important to enable purchase alerts and monitoring services on credit cards to minimise the length of time they can be used by cyber criminals if compromised. “This would be an effective method for the Tupperware attack scenario,” he noted.

Credit card holders can also maximise their levels of protection by disabling international purchases on their cards, which limits thieves’ ability to profit from it and potentially makes it easier for law enforcement to prosecute if it comes to that. Also, card holders should only shop when at home or connected to their mobile network – public Wi-Fi locations may be convenient, but their security cannot be guaranteed.

Matt Keil, director of product marketing at Cequence, a supplier of cloud-native, artificial intelligence (AI)-powered application protection services, raised questions over the quality of Tupperware’s cyber security posture.

He said that although the group that hacked Tupperware was crafty, the type of attack used should only work on websites that had implemented very few security measures.

“Standard server headers to block iframes would have stopped this attack,” said Keil. “As we look at how Magecart attacks work, having a simple understanding of where your clients are being redirected is becoming necessary.

“Third-party code is needed, but it shouldn’t be an open attack vector, whether it is placed on the website maliciously, brought into the client via an iframe or has a legitimate use, organisations need to monitor how it is impacting their clients.

“Organisations need to take immediate steps to collect an accurate inventory of third-party resources and establish change control policies to validate new code insertion, updates and modifications to existing code. These steps will go a long way to reducing the digital skimming exposure.”