#Privacy: Tupperware website targeted with credit card skimmer

Researchers have discovered a targeted cyber attack against the kitchenware brand Tupperware. 

Identified by Malwarebytes on March 20, threat actors compromised the official Tupperware website in addition to its associated websites, by hiding malicious code within an image file. 

A fraudulent payment form is then activated during the checkout process. The form then collects customer payment data via a credit card skimmer, which is then passed on to the threat actors. 

“In light of the COVID-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward,” said Malwareybytes

Malwarebytes added that the actors behind the attack put a fair amount of work into integrating the credit card skimmer seamlessly and remaining undetected. 

Malwarebytes discovered the malicious activity during a web crawl after identifying a suspicious-looking iframe when visiting the Tupperware checkout page. The iframe displays the payment forms fields to shoppers. 

The domain had been created on March 9 and registered to an email address with Russian provider Yandex. It should be noted that many newly registered domains are often used by threat actors prior to a new campaign. 

“There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English.”

Malwarebytes notified Tupperware of its findings but the skimmer was still active when the findings were published. However, in an update researchers stated that it noticed that the malicious PNG file was removed and soon after the JavaScript was also removed. 


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/