Re: "the little HTTPS padlock shows up in the browser address bar"
I haven't looked at this in any detail, but based on the article (as I remember it):
The "code" is just HTML, specifically an IFRAME element. That element was inserted into the content included in some page served by tupperware.com. (I'm not clear on the exact mechanism; the article mentions malware contained in an image file, but something had to decode that and inject the iframe into the page.)
The IFRAME's SRC is a URL referring to deskofhelp.com; that's the server controlled by the attacker. So the content of the IFRAME, which is a malicious payment-submission form, is loaded from the attacker's server.
So some of the "code" (such as it is) is hosted by tupperware.com, and the rest is hosted by deskofhelp.com.
It's all HTTPS, so the page doesn't contain mixed content. The padlock indicator is working as expected.
Biting the hand that feeds IT
