After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.
On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the cyber attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet's infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the cyber attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.
As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals.
The First Skimmer
The actors appended the skimmer at the bottom of the jQuery library:
The skimmer is one with which RiskIQ is familiar. It has been in use by Group 8 since at least 2018. The group itself has been active since 2016. Group 8 is responsible for many victims, but followers of our Magecart reporting will recognize them from compromises of bedding and pillow manufacturers Amerisleep and MyPillow and Philippine broadcast company ABS-CBN, both in 2018. So far, we have observed this skimmer code on over 200 victim domains and have identified 88 unique actor-owned domains.
Here, we'll explain the skimmer in two parts and stick with the main skimmer code (omitting some of the utility functions used for data encryption).
The first part of the skimmer is what we call the configuration block and the "page check." Here, the skimmer performs a quick check to see if the current page the browser is on looks like a payment page. It also defines the variables needed for skimming the data correctly:
The skimmer sets the top four variables to ensure that it's analyzing the right fields and the correct button for skimming. We'll get into them more a bit later.
The code below these variables is the page check. With a simple regex, the skimmer confirms if it is on a page that looks to be a payment/checkout page. If so, it checks if the variables are correctly defined so the skimmer will work. If everything checks out, it will call the actual skimming function after a small delay.
After it defines these variables and checks the browser's location, the second part, skimming code, will kick in:
The skimming code is simple. The top part grabs the field values—some of the field names/IDs come from the earlier defined variables—and puts all the data together. The skimmer then turns this data into a long text string that is encrypted before goes off to the criminal-owned server.
Some readers might recognize the exfiltration path of /tr/, which has come up before. As we noted previously, this skimmer is not new to RiskIQ, and we have observed it exfiltrate data to the following servers:
The cyber attackers have been using the domain involved in the NutriBullet attack for quite some time—NutriBullet is far from their only victim.
The Second Skimmer
Group 8 operatives placed a second skimmer on the NutriBullet website on March 5th around 7 pm GMT—only a few days after we neutralized the first exfiltration domain. This time, they targeted a different resource, a submodule for jQuery:
Again, Group 8 operatives appended the skimmer at the end of the file:
The skimmer here is the same as when we described it in the first incident, with one change. Due to our takedown, the actors set up a new domain for exfiltration a day after we took down their first. The new exfiltration URL in the skimmer is:
The fact that this domain was set up on March 2nd, the day after the first skimmer was removed, tells us it might well have been the cyber attackers who removed the skimmer after we killed off their domain.
For this domain takedown, we again worked with our partners at AbuseCH and ShadowServer to kill stop the active skimming on the site, without the assistance of NutriBullet. The company continues to put its customers at risk by ignoring our communications and offers of help.
The Third Skimmer
Because we are keeping an active watch on the NutriBullet store, we saw that the cyber attackers were back on March 10th around 9 pm GMT with another skimmer. This time they injected it at:
This time, the cyber attackers did not append the skimmer at the end of the script. Instead, we found it near the top. It was the same skimmer with the same obfuscation:
The exfiltration URL used for this was:
At the time the cyber attackers placed the skimmer in this new script, we had already taken down the domain they used for receiving data. We believe the cyber attackers saw that traffic dropped and assumed NutriBullet had cleaned up its site. They then moved the skimmer elsewhere without realizing the domain was defunct.
Group 8 Has Been Busy
While we haven't published on Group 8 since 2018, they have been extremely active. Their preferred tactic is focusing on individual victims, avoiding the "shotgun approach" many other Magecart groups take, where they compromise many sites at once and hope for at least one worthwhile victim. Instead, Group 8 attacks and skims specific sites they seem to cherry-pick for a particular purpose.
The compromise of this diamond exchange began in July 2019 and was cleaned up sometime in November 2019. The following stores were hit:
The cyber attack on NutriBullet represents one more of thousands of Magecart breaches on well-established brands that garner thousands of site visitors each week.
RiskIQ now detects several Magecart breaches every hour and has observed Magecart skimmers in the wild millions of times. With that kind of volume, it's not surprising that Magecart operatives continue to pop up in unexpected places as they work hard to get a piece of the trillions of dollars consumers spend in e-commerce every year.
Highly targeted, highly technical breaches may become a trend. As we saw in the cyber attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website. Operatives with the right acumen and enough time will find them.
* RiskIQ researchers reached out to NutriBullet via their support channel and NutriBullet leadership via LinkedIn less than 24 hours after the incident and continued outreach over the next three weeks. As of the date of this blog, our attempts at communication with NutriBullet have not been answered. The compromise is ongoing, and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...