Tupperware, makers of popular plastic kitchenware and home products, was found to have a card skimmer on its e-commerce website. The malware was active on their website at least since 9 March 2020 before it was removed today. The information security firm, Malwarebytes, who discovered the malware tried to inform Tupperware but was ignored.
Card Skimmer’s Discovery
Malwarebytes discovered the card skimming malware on Tupperware’s website on 20 March 2020. According to Malwarebytes, the malware was loaded onto Tupperware’s website around 9 March. The sites affected included Tupperware’s US and Canadian e‑commerce sites.
The card skimming malware worked through a PNG image file that cybercriminals embedded into Tupperware’s above-mentioned e-commerce sites. The cybercriminals cleverly managed to hide malicious code within the image file so that it would evade detection.
Card Skimming malware is used by cybercriminals to steal credit card data from victims. Consequently, Malwarebytes told The Register, that they decided to go public to protect shoppers who were buying Tupperware products online. Malwarebytes allegedly tried to alert Tupperware of the security breach for 5 days to no avail before they went public.
Tupperware’s Response to Card Skimmer Discovery
Yesterday Malwarebytes said in a statement: “On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered.”
Today the active digital credit card skimmer was removed by Tupperware. However, Tupperware has not yet informed any of its customers of the breach to their e‑commerce sites. Therefore, many customers are most likely still unaware that their personal and financial data may have been compromised.
A spokesperson for Tupperware said today: “Tupperware recently became aware of a potential security incident involving unauthorised code on our US and Canadian e-commerce sites. As a result, we promptly launched an investigation, took steps to remove the unauthorised code, and a leading data security forensics firm was engaged to assist in the investigation. We also contacted law enforcement.”
How can Consumers Protect Themselves from Card Skimming?
Security experts recommend that consumers not save their credit card information on websites since these can be hacked. It is also important to check and confirm that the website looks and behaves normally.
Another good precaution consumers could take is to enable purchase alerts and monitoring services on their credit cards. This minimizes the amount of time cybercriminals can use compromised credit cards before they are discovered.
Finally, security experts advise that consumers only shop using their cards when at home or if using a VPN connection. Public WiFi connections can be convenient, but their privacy and safety cannot be guaranteed.