Branded lunchbox biz didn't answer for 5 days, alleges infosec firm
I guess they were trying to keep a lid on it.
Tupperware, maker of the plastic food containers beloved of the Western middle classes, has an active and ongoing malware infection on its website that steals credit card data and passes it to criminals. Infosec firm Malwarebytes, which made the discovery, has gone public with its findings today after alleging Tupperware …
Single use, or for repeated payments (e.g. regular bills), dedicated virtual cards with tight limits.
I use privacy.com for that; so far it's worked well. I also like the fact that they'll accept any name + address information, so you don't have to provide real details to sites with no need for them.
I haven't looked at this in any detail, but based on the article (as I remember it):
The "code" is just HTML, specifically an IFRAME element. That element was inserted into the content included in some page served by tupperware.com. (I'm not clear on the exact mechanism; the article mentions malware contained in an image file, but something had to decode that and inject the iframe into the page.)
The IFRAME's SRC is a URL referring to deskofhelp.com; that's the server controlled by the attacker. So the content of the IFRAME, which is a malicious payment-submission form, is loaded from the attacker's server.
So some of the "code" (such as it is) is hosted by tupperware.com, and the rest is hosted by deskofhelp.com.
It's all HTTPS, so the page doesn't contain mixed content. The padlock indicator is working as expected.
I would imaging the iframe loader is on a third party site that is loaded via a javascript src file. Not directly on their server.
Checkout page rules: Do not use any third party code on that page (or a login page). Do not load a third party payment s[processor into an ifarme.
I don't like PayPal, personally - they're under-regulated and have a history of bad practices (e.g. cutting off services for organizations they don't like, apparently on political grounds). And the transition from the vendor site to PayPal is ripe for phishing. It's probably more secure than paying directly with a conventional credit or debit account, particularly if the site wants to store your payment details - I wouldn't trust the vast majority of online vendors to do that to a reasonable degree of security under a reasonable threat model.
But virtual credit cards are very likely safer, and they provide more control and privacy than PayPal.