Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.
On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the cyber attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet’s infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the cyber attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.
As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals.
The actors appended the skimmer at the bottom of the jQuery library:
The first Magecart skimmer
The skimmer is one with which RiskIQ is familiar. It has been in use by Group 8 since at least 2018. The group itself has been active since 2016. Group 8 is responsible for many victims, but followers of our Magecart reporting will recognize them from compromises of bedding and pillow manufacturers Amerisleep and MyPillow and Philippine broadcast company ABS-CBN, both in 2018. So far, we have observed this skimmer code on over 200 victim domains and have identified 88 unique actor-owned domains.
Here, we’ll explain the skimmer in two parts and stick with the main skimmer code (omitting some of the utility functions used for data encryption).
The first part of the skimmer is what we call the configuration block and the “page check.” Here, the skimmer performs a quick check to see if the current page the browser is on looks like a payment page. It also defines the variables needed for skimming the data correctly:
This part of the skimmer performs checks
The skimmer sets the top four variables to ensure that it’s analyzing the right fields and the correct button for skimming. We’ll get into them more a bit later.
The code below these variables is the page check. With a simple regex, the skimmer confirms if it is on a page that looks to be a payment/checkout page. If so, it checks if the variables are correctly defined so the skimmer will work. If everything checks out, it will call the actual skimming function after a small delay.
After it defines these variables and checks the browser’s location, the second part, skimming code, will kick in:
The skimming code is simple. The top part grabs the field values—some of the field names/IDs come from the earlier defined variables—and puts all the data together. The skimmer then turns this data into a long text string that is encrypted before goes off to the criminal-owned server.
Some readers might recognize the exfiltration path of /tr/, which has come up before. As we noted previously, this skimmer is not new to RiskIQ, and we have observed it exfiltrate data to the following servers:
The cyber attackers have been using the domain involved in the NutriBullet attack for quite some time—NutriBullet is far from their only victim.
Group 8 operatives placed a second skimmer on the NutriBullet website on March 5th around 7 pm GMT—only a few days after we neutralized the first exfiltration domain. This time, they targeted a different resource, a submodule for jQuery:
Again, Group 8 operatives appended the skimmer at the end of the file:
The second skimmer added to the NutriBullet site
The skimmer here is the same as when we described it in the first incident, with one change. Due to our takedown, the actors set up a new domain for exfiltration a day after we took down their first. The new exfiltration URL in the skimmer is:
The fact that this domain was set up on March 2nd, the day after the first skimmer was removed, tells us it might well have been the cyber attackers who removed the skimmer after we killed off their domain.
For this domain takedown, we again worked with our partners at AbuseCH and ShadowServer to kill stop the active skimming on the site, without the assistance of NutriBullet. The company continues to put its customers at risk by ignoring our communications and offers of help.
Because we are keeping an active watch on the NutriBullet store, we saw that the cyber attackers were back on March 10th around 9 pm GMT with another skimmer. This time they injected it at:
This time, the cyber attackers did not append the skimmer at the end of the script. Instead, we found it near the top. It was the same skimmer with the same obfuscation:
The third skimmer
The exfiltration URL used for this was:
At the time the cyber attackers placed the skimmer in this new script, we had already taken down the domain they used for receiving data. We believe the cyber attackers saw that traffic dropped and assumed NutriBullet had cleaned up its site. They then moved the skimmer elsewhere without realizing the domain was defunct.
While we haven’t published on Group 8 since 2018, they have been extremely active. Their preferred tactic is focusing on individual victims, avoiding the “shotgun approach” many other Magecart groups take, where they compromise many sites at once and hope for at least one worthwhile victim. Instead, Group 8 attacks and skims specific sites they seem to cherry-pick for a particular purpose.
The compromise of this diamond exchange began in July 2019 and was cleaned up sometime in November 2019. The following stores were hit:
The cyber attack on NutriBullet represents one more of thousands of Magecart breaches on well-established brands that garner thousands of site visitors each week.
RiskIQ now detects several Magecart breaches every hour and has observed Magecart skimmers in the wild millions of times. With that kind of volume, it’s not surprising that Magecart operatives continue to pop up in unexpected places as they work hard to get a piece of the trillions of dollars consumers spend in e-commerce every year.
Highly targeted, highly technical breaches may become a trend. As we saw in the cyber attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website. Operatives with the right acumen and enough time will find them.
* RiskIQ researchers reached out to NutriBullet via their support channel and NutriBullet leadership via LinkedIn less than 24 hours after the incident and continued outreach over the next three weeks. As of the date of this blog, our attempts at communication with NutriBullet have not been answered. The compromise is ongoing, and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521