NutriBullet LLC, the maker of a popular high-priced blender, have been targeted in a number of Magecart attacks, with customer data stolen at the point of sale.

The attacks, attributed to MageCart Group 8, were discovered and publicized today by security researchers at RiskIQ Inc. The first attack, detected Feb. 20, involved the attackers placing skimmer code on the Nutribullet website.

Remarkably, despite the researchers reaching out to Nutribullet, no action was taken. The researchers, working with nonprofit organizations ShadowServer and Abuse.ch, then decided to take down the domain the attackers were using to store stolen credit cards, resulting in the card-skimming code being removed March 1.

But the attacks didn’t stop there. Come March 5, the attackers, who still had access to NutriBullet’s website, inserted new card-skimming code. The same process then repeated: The researchers contacted Nutribullet, had no response, then targeted the domain being used by the attackers, stopping them in their tracks. Then it happened a third time March 10, although in this case the domain used had already been taken down.

“As of the date of this blog [post], our attempts at communication with NutriBullet have not been answered,” the researchers noted. “The compromise is ongoing and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers.”

NutriBullet responded to the report, saying in a statement saying that “our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach. The company’s IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution. Our team will work closely with outside cybersecurity specialists to prevent further incursions.”

MageCart attacks first emerged in 2018 with an attack on British Airways Plc., spreading to Newegg Inc., the Infowars Store, Cathay Pacific Airways Ltd., Ticketmaster Entertainment Inc., Macy’s Inc., Sweaty Betty and Oxo International Ltd.

“It is still a major issue when trying to contact organizations to responsibly disclose security concerns,” Lamar Bailey, senior director of security research at cybersecurity solutions firm Tripwire Inc., told SiliconANGLE. “Every site should have a contact page for security concerns.”

Bailey noted that emailing or calling support is often frustrating and leads to a dead end. “The frontline support engineers don’t understand the gravity of the situation or have no idea how to route the concerns to the correct group,” he said. “We often try to contact company leadership via email or LinkedIn, but many of these attempts go unanswered because they are assumed to be spam or sales tactics.”

Bryan Becker, product manager at application security firm WhiteHat Security Inc., shared advice for companies seeking to protect themselves for Magecart attacks.

“Train your employees regularly on security awareness and put in strong safeguards within the company,” he said. “If your employees can recognize phishing attempts, then the hacker can’t even get past step one.”

Becker said it’s also important to scan internal codebases and external-facing code. “If you think of running dynamic application security testing scans on your external-facing website as protecting your customers, then think of scanning internal tools as protecting your employees,” he said.

Photo: Your Best Digs/Flickr