Security News > 2020 > March > Tupperware-dot-com has a live credit card skimmer on its payment page, warns Malwarebytes
Infosec firm Malwarebytes, which made the discovery, has gone public with its findings today after alleging Tupperware ignored attempts to alert it and to get the malware removed from its payment processing pages.
"On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered," said Malwarebyes in a statement.
Malwarebytes' Jerome Segura told The Register: "We understand that businesses have been disrupted in light of the coronavirus crisis, and that employees are working remotely, which accounts for delays. Our decision to go public is to ensure that the problem is being looked at in a timely manner to protect online shoppers." He added that Malwarebytes also alerted mega card payment org Visa in its efforts to get the compromised site cleansed.
Using the iframe to pay for your boxes of goodness instead puts your payment data through a credit card skimmer, via a cunningly-disguised fake session timeout page that lets the criminals reload the correct payment page.
The payment goes through on the second attempt, your data is beamed to the crims, and nobody's the wiser until your bank account suddenly empties or your credit card slams into its upper limits.