Nutribullet, the company that makes those fancy blenders, has a problem.
In general, the problem is not a lot different than a lot of other companies. Their website was hacked and one of the magecart family of credit card skimmers was installed. It turns out that was only the beginning of their problem.
The first infection was discovered on February 20th and was removed on March 1. While 10 days seems quick, in this case it seems a little long. But it did not end there.
Five days later another credit card skimmer was found on the website. The security firm RiskIQ worked with AbuseCH and Shadowserver to get the command and control server taken down.
But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.
But here is the problem.
Removing the skimmer – or skimmers – is not enough.
Taking down the command and control servers is not enough.
The second attack compromised a different JQuery resource.
And the third attack compromised yet another script.
At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck. In the announcement they told people not to use the web site.
Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach. Three weeks late to the party.
ZDNet reached out to Nutribullet for a comment but has not heard back. Source: ZDNet
Okay. Lets see if we can learn some lessons here. What went wrong?
I often ask how come security researchers can contact a company and they ignore them? Lets talk about your company. How would some employee deal with that? Is there a process? Is it documented?
After all of the Magecart attacks over the last year why are they still happening?
How did the hackers get in there in the first place to modify the web pages and libraries? There are two likely possibilities – compromised credentials or missing patches. It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.
More likely than a zero day is that the website could be accessed by support people using only a userid and password? It is not that hard to phish an employee’s credentials. What about your websites? Do you require two factor authentication for all admin access?
Alternatively, maybe there is a missing patch. Are you confident that every single library on your web server is current with every single available patch? Equifax missed one and it didn’t turn out so good for them.
And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.
Right now it looks like the hackers are winning. Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.
What about you? How would you fare?