A group of scammers using a pervasive hacking technique have spent weeks lurking on the website where NutriBullet customers entered their payment data, according to new findings from a cybersecurity vendor.
RiskIQ published research on Wednesday detailing how a hacking group, known as Magecart Group 8, snuck malicious code onto NutriBullet’s website to collect financial information from customers who purchased blenders and other products from the company. The attack began on Feb. 20 and continues today, despite an interruption between March 1 and March 5, RiskIQ said.
NutriBullet did not respond to multiple requests for comment. RiskIQ said its researchers have spent three weeks trying to contact the company without receiving a response. In a statement, NutriBullet thanked RiskIQ for uncovering the issue.
“The company’s IT team promptly identified malicious code and removed it,” a spokesperson said in an email. “We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution.”
“Magecart” is a blanket name for a hacking technique in which attackers insert a small amount of malicious code into the e-commerce payment process. Magecart groups rely on different techniques, with some compromising the payment system Magento, while others use advertisements or analytics software as an entry point into users’ data. British Airways, Ticketmaster, the alcoholic retailer BevMo and the housewares giant OXO are among the thousands of sites that have been affected.
NutriBullet markets its blenders as food processors, which are especially useful for converting fruits, vegetables and liquids into smoothies.
RiskIQ determined that the first skimmer had been installed on Feb. 20, then removed by March 1. By March 2, scammers had built a new domain to steal data, then went down again, and appeared for the third time on March 10. It’s a cat-and-mouse approach researchers have observed before with Group 8 of Magecart, RiskIQ said.
“Their preferred tactic is focusing on individuals victims, avoiding the ‘shotgun approach’ many other Magecart groups take, where they compromise many sites at once and hope for at least one worthwhile victim,” the company said in its report Wednesday. “Instead, Group 8 attackers and skims specific sites they seem to cherry-pick for a particular purpose.”
The global law enforcement agency Interpol announced in January police had arrested three men in Indonesia accused of running a Magecart hacking ring, then using the stolen financial data to purchase electronics and luxury goods.
This story was updated March 18 at 1:10pm ET to include a statement from NutriBullet.