UPDATED 20:25 EDT / MARCH 25 2020

tupperware SECURITY

Customer payment details stolen in hack of Tupperware website

Plastic container maker Tupperware Brands Corp. is the latest to fall victim to hackers, who stole customer payment details.

Discovered by researchers at Malwarebytes on March 20, the attack involved the placement of a fraudulent payment form designed to mimic the official payment form during the checkout process.

The form is triggered by malicious code hiding within an image file inserted onto the site. Customers are completely unaware that they are entering details on a fake payment form. The use of an image file with malicious code is notable because it evades traditional detection techniques.

Once customers inserted their details into the malicious form and hit submit, they were then shown an error disguised as a time-out message. The page is then reloaded and victims enter the information a second time on the legitimate page, none the wiser to what has happened.

As is usual with digital credit card skimmers, the form captures the payment details and then sends them to the cybercriminals behind the attack.

The researchers reached out to Tupperware via phone, email, Twitter and LinkedIn with no response, hence their decision to go public with their findings. Someone must have noticed the report since then, however, since the malicious image file was removed.

“We understand that businesses have been disrupted in light of the coronavirus crisis and that employees are working remotely, which accounts for delays,” Malwarebytes’ Jerome Segura told The Register. “Our decision to go public is to ensure that the problem is being looked at in a timely manner to protect online shoppers.”

With employees working from home and a surge in online shopping as coronavirus-related lockdowns seeing more people ordering goods online, the number of cyberattacks is expected to increase as hackers look to take advantage of the situation.

Despite reports of some cybercriminals encouraging others to not take advantage of the situation, nothing is sacred when it comes to a targets, which in the last month include hospitals treating coronavirus patients and even a medical company preparing to do a trial for a vaccine. NutriBullet LLC, the maker of a popular high-priced blender, was also targeted in a card skimming attack in late February.

Photo: Mark Larson/Wikimedia Commons

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.