Card Not Present Fraud , Data Loss Prevention (DLP) , Governance & Risk Management

'Magecart' Card-Sniffing Gang Cracks Newegg

E-Commerce Site Investigates Malware Attack and Payment Card Data Theft
'Magecart' Card-Sniffing Gang Cracks Newegg

Online retailer Newegg says it is investigating an outbreak of malware on its systems that was designed to sniff customers' payment card details. Two security firms, RiskIQ and Volexity, say the malware may have been active for more than a month.

See Also: Global State of Identities: Optimizing Identity Proofing

The security firms say the Newegg breach appears to be the latest attack by a criminal group or groups dubbed Magecart, which recently targeted British Airways and Ticketmaster.

Newegg, based in City of Industry, California, says it is notifying potentially affected customers via email. Officials at Newegg could not be immediately reached for comment on the breach, including additional details.

Newegg didn't say how many cards or customers may be affected. Founded in 2001, Newegg is an online storefront that sells a variety of consumer electronics, housewares and clothing. Although it pales in size compared to e-commerce giant Amazon, Newegg's sales make it one of the world's top 250 e-commerce vendors. In 2016, Chinese technology firm Hangzhao Liaison Interactive Information Technology acquired a majority stake in Newegg.

SimilarWeb, an online marketing and analytics company, puts Newegg's monthly traffic at more than 50 million visitors, most of whom live in the United States.

Magecart specializes in what RiskIQ calls "digital skimmer" software - malicious code that gets injected into a site and is then used to sniff or intercept any payment card data entered by an e-commerce website customer.

"Over an entire month of [digital] skimming, we can assume this attack claimed a massive number of victims," says Yonathan Klijnsma, a threat researcher at RiskIQ, in a blog post.

Malicious Code Steals Card Data

Magecart has had notable success planting its card-stealing malware, either directly into websites or by infecting third-party tools used by the targeted companies. The code collects payment card details, which can then be sold on so-called "carding" sites that offer stolen details to other criminals to monetize.

RiskIQ's Klijnsma says the attack against Newegg bears many similarities to the Magecart attack against British Airways. In fact, the attack against Newegg may have begun just one week before attackers hit the airline, Volexity's threat research team says in a blog post.

The attack against British Airways compromised as many as 380,000 payment cards between Aug. 15 and Sept. 5. It affected anyone who bought or changed a ticket using the website or mobile app (see Hacker Flies Away With British Airways Customer Data).

For the Newegg attack, the attackers set up a spoofed domain, www.neweggstats[dot]com, on Aug. 13, Klijnsma writes. The domain was registered with Namecheap, and the site appears to have functioned as a drop server, or a place where attackers could send stolen card data. The attackers also obtained a domain-validated TLS/SSL certificate from Comodo for the domain.

The TLS/SSL certificate for the spoofed Newegg domain (Source: Volexity)

Mobile-Friendly Attack Code

For the next stage of attack, the card-stealing code was inserted into Newegg's payment pages. While it's unclear how the attackers did this, researchers say it may have involved exploiting a vulnerability in Newegg's infrastructure. Klijnsma says that the malicious script was placed on the payment processing page itself and would have activated after someone added an item to their cart and entered a validated email address.

Compared to the British Airways breach, Volexity says Magecart's attack code is even more streamlined.

"While the functionality of the script is nearly identical, it is worth noting that the attackers have managed to minimize the size of the script even more, from 22 lines of code in the British Airways attack to a mere 8 lines for Newegg, [or] 15 if the code is beautified," Volexity says.

JavaScript, designed to steal payment card data, that was inserted into Newegg's payment pages. (Source: Volexity)

The code was also designed to send the payment card details entered by a customer as soon as the victim pressed and released on a touchscreen or mouse.

"This is worth noting, as it is taking into account the large number of mobile or touch-enabled tablets and devices used today," Volexity says.

Third-Party Code Risks

In the breach at Ticketmaster, a third-party tool used by the company was compromised, which then gave attackers entrée into Ticketmaster's sites.

The ticket sales and distribution giant, which is part of Live Nation Entertainment, blamed the breach on embedded chatbot software from a company called Inbenta. Ticketmaster had added the JavaScript-based chatbot software to its card payment pages, which Inbenta said it should never have done (see Ticketmaster Breach Traces to Embedded Chatbot Software).

Ticketmaster said the breach affected less than 5 percent of its customer base, which would equal about 11.5 million individuals. Victims included U.K. customers who bought a ticket between February through June, when the breach was discovered, and international customers who bought tickets from September 2017 onwards.

RiskIQ has said that the Magecart group has compromised a variety of widely used third-party tools used by websites. The company said in July that it appeared the Ticketmaster was also affected by tampering with a different third-party marketing and analytics tool made by a company called SociaPlus.

RiskIQ said at the time that other software suppliers that may have been struck by Magecart included PushAssist, Clarity Connect and Annex Cloud (see RiskIQ: Ticketmaster Hackers Compromised Widely Used Tools).

Unfortunately, it doesn't appear that Magecart's attack campaigns are likely to subside anytime soon. RiskIQ, which crawls 2 billion web pages a day looking for suspicious activity and scritps, says it detects Magecart-related breaches "almost hourly." Some, with attack infrastructure disguised to look like the real thing, also point to more advanced efforts and attackers having spent a significant amount of time in the planning stages.

"While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers that seamlessly integrate into their targets' websites," Klijnsma says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.