back to article Tupperware-dot-com has a live credit card skimmer on its payment page, warns Malwarebytes

Tupperware, maker of the plastic food containers beloved of the Western middle classes, has an active and ongoing malware infection on its website that steals credit card data and passes it to criminals. Infosec firm Malwarebytes, which made the discovery, has gone public with its findings today after alleging Tupperware …

  1. Spudley
    Coat

    Branded lunchbox biz didn't answer for 5 days, alleges infosec firm

    I guess they were trying to keep a lid on it.

    1. Saruman the White
      Facepalm

      Their lids are sealed

    2. Steve K Silver badge

      Yes..

      ..a veritable information vacuum

      They have resealed no information yet

  2. Andy Non Silver badge

    The infosec firm has

    boxed them in now.

    1. Will Godfrey Silver badge
      Coat

      Re: The infosec firm has

      Pandora might disagree!

  3. idiottaxpayerhere previously ishtiaq/theghostdeejay

    This is why

    I use a prepaid debit card for all online buying.

    1. MiguelC Silver badge

      Re: This is why

      Single use virtual cards for me.

      1. Michael Wojcik Silver badge

        Re: This is why

        Single use, or for repeated payments (e.g. regular bills), dedicated virtual cards with tight limits.

        I use privacy.com for that; so far it's worked well. I also like the fact that they'll accept any name + address information, so you don't have to provide real details to sites with no need for them.

    2. Tomato Krill

      Re: This is why

      It’s why I use your prepaid debit card too now :)

  4. Pascal Monett Silver badge

    "the little HTTPS padlock shows up in the browser address bar"

    That is going to be an interesting explanation, when Tupperware gets down to it.

    1. Inventor of the Marmite Laser Silver badge

      Re: "the little HTTPS padlock shows up in the browser address bar"

      At least they'll be able to keep it fresh

    2. Cynic_999 Silver badge

      Re: "the little HTTPS padlock shows up in the browser address bar"

      The code has been planted on the server, so will be SSL encrypted along with everything else. Or did you think the padlock means that some sort of virus protection is in place?

      1. Anonymous Coward
        Anonymous Coward

        Re: "the little HTTPS padlock shows up in the browser address bar"

        Not really it's an iframe so it's not planted on 'the server'. However as crooks are now also using SSL for their malicious intents then the page is deemed to have full SSL and won't create a problem.

        1. Tomato Krill

          Re: "the little HTTPS padlock shows up in the browser address bar"

          The reason the iframe Is loaded though, is code inserted On the server no?

          1. Michael Wojcik Silver badge

            Re: "the little HTTPS padlock shows up in the browser address bar"

            I haven't looked at this in any detail, but based on the article (as I remember it):

            The "code" is just HTML, specifically an IFRAME element. That element was inserted into the content included in some page served by tupperware.com. (I'm not clear on the exact mechanism; the article mentions malware contained in an image file, but something had to decode that and inject the iframe into the page.)

            The IFRAME's SRC is a URL referring to deskofhelp.com; that's the server controlled by the attacker. So the content of the IFRAME, which is a malicious payment-submission form, is loaded from the attacker's server.

            So some of the "code" (such as it is) is hosted by tupperware.com, and the rest is hosted by deskofhelp.com.

            It's all HTTPS, so the page doesn't contain mixed content. The padlock indicator is working as expected.

          2. Anonymous Coward
            Anonymous Coward

            Re: "the little HTTPS padlock shows up in the browser address bar"

            I would imaging the iframe loader is on a third party site that is loaded via a javascript src file. Not directly on their server.

            Checkout page rules: Do not use any third party code on that page (or a login page). Do not load a third party payment s[processor into an ifarme.

  5. Stuart Halliday
    Thumb Up

    Well, at least Malwarebytes customers will be protected I assume.

  6. Ken Moorhouse Silver badge

    Best not to open any Tupperware box...

    If you didn't fill it yourself, and you don't know who did...

  7. Smooth Newt
    Trollface

    What's the betting?

    What's the betting that when Tupperware do respond, the first line of their statement to the press will be something like "Customer security is our top priority".

    1. NATTtrash Bronze badge
      Trollface

      Re: What's the betting?

      ...and we take it very seriously...

  8. Trollslayer Silver badge
    Thumb Up

    PayPal

    I use this online if offered, a one time link takes me to PayPal and I approve the transaction.

    1. Michael Wojcik Silver badge

      Re: PayPal

      I don't like PayPal, personally - they're under-regulated and have a history of bad practices (e.g. cutting off services for organizations they don't like, apparently on political grounds). And the transition from the vendor site to PayPal is ripe for phishing. It's probably more secure than paying directly with a conventional credit or debit account, particularly if the site wants to store your payment details - I wouldn't trust the vast majority of online vendors to do that to a reasonable degree of security under a reasonable threat model.

      But virtual credit cards are very likely safer, and they provide more control and privacy than PayPal.

      1. ShadowDragon8685

        Re: PayPal

        Also, apparently they used to just confiscate anyone's money if they didn't like how it was being earned - say, commissioned artwork that happened to fall afoul of PayPal's morals.

        If they're going to be behaving like a financial institution, they need to be regulated as such.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020