Hackers identified as being part of Magecart Group 8 attacked NutriBullet’s website multiple times during the last few months, according to new RiskIQ research released on Wednesday (March 18).
The group injected malicious credit card-skimming malware on the blender maker’s payment pages and swiped personal details like card numbers, names, billing addresses, expiration dates and card verification numbers.
The attackers first hit on Feb. 20 and placed a JavaScript skimmer on the website, RiskIQ discovered. It was removed by March 1, but another was added March 5 with a new script and on March 10, the attackers added another skimmer in another script. The cybersecurity firm believes there are still vulnerabilities.
“After multiple attempts to contact NutriBullet and receiving no response, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims,” RiskIQ said.
Magecart Group 8 has been active since 2016 and hacked at least 200 domains many victims, and created 88 unique actor-owned domains. Other victims include Amerisleep, MyPillow and Philippine broadcast company ABS-CBN. The group also targeted a diamond exchange that involved six merchants from six different states.
“Group 8 attacks and skims specific sites they seem to cherry-pick for a particular purpose,” RiskIQ said.
The San Francisco-based startup said it detects multiple Magecart breaches every 60 minutes.
“Unfortunately, given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities. They’re learning from past attacks to stay one step ahead, so it’s on the security community to do the same,” the cybersecurity firm said.
RiskIQ head of threat research Yonathan Klijnsma told TechCrunch that people should avoid the NutriBullet website until the company “acknowledges our outreach and performs a cleanup.”
Peter Huh, chief information officer at NutriBullet, confirmed the attacks to the news outlet and said it “launched forensic investigations” into the incident. He said the company will “work closely with outside cybersecurity specialists to prevent further incursions.”
RiskIQ was founded in 2009 by Brad Byrd, Chris Kiernan, David Pon and Elias Manousos. The firm protects the websites of eight of the 10 largest financial institutions in the U.S. and five of the nine leading internet companies worldwide.
The Federal Trade Commission (FTC) has begun sending more than $5 million in refunds to consumers who were harmed by a deceptive credit card debt relief scheme.
The funds in this distribution came from ACRO Services, which operated under multiple names and ran the scheme, and BlueSnap, which provided payment processing services and profited from the scheme, the FTC said in a Tuesday (Jan. 21) press release.
The FTC’s complaint against ACRO Services charged that it ran a deceptive telemarketing operation that made phony debt relief promises to consumers, charged consumers unlawful upfront enrollment fees, and charged monthly fees for “credit monitoring” services, according to the release.
ACRO Services operated under names that included American Consumer Rights Organization, Consumer Protection Resources, Reliance Solutions, Thacker & Associates and Tri Star Consumer Group, the release said.
The individual defendants in that case agreed to a settlement order banning them from the debt relief and telemarketing industries and requiring them to surrender assets to be used to refund consumers.
Payment processor BlueSnap and its former CEO Ralph Dangelmaier and former Senior Vice President Terry Monteith agreed to a settlement order that required them to pay $10 million and stop processing payments for debt collection or debt relief companies and for companies listed in a fraud monitoring program.
In a statement emailed to PYMNTS at the time of that settlement, BlueSnap CEO Henry Helgeson, whose arrival as CEO was one of several changes at the company’s senior management level, said that the company regrets the actions of the former employees, intends to comply with all FTC directives and has always had tools in place to identify fraudulent activity on its platform — though those tools were ignored by the executives charged by the FTC.
In the distribution of refunds announced Tuesday, the FTC is sending checks to 7,687 consumers, according to the press release.
In another, separate case, the FTC said in December that it got a court order to shutter Superior Service in a student debt relief case.
FTC lawsuits resulted in over $324 million in refunds to consumers in 2023, the regulator said in a June press release.