Magecart claims another victim in Newegg merchant data theft

Updated: Researchers have found another example of Magecart's covert activities only 24 hours after the last incident concerning the prolific hacking group.

It was only yesterday that researchers confirmed a massive payment card skimming scheme operated by Magecart which compromised the online store of broadcaster ABS-CBN; now, the cyberthreat group has claimed a fresh victim in Newegg.

Researchers from RiskIQ, together with Volexity, revealed that California-based retailer Newegg is the latest well-known merchant to succumb to the threat actors.

On Wednesday, the security firm said in a blog post that a payment skimming scheme has been in operation since August 13.

The Magecart hacking group, which has been active since 2015, registered a domain called neweggstats.com. Being similar to Newegg's legitimate domain, newegg.com, it was likely registered to appear as a genuine extension of the true domain.

A security certificate was then acquired by Magecart, issued by Comodo.

According to the researchers, a day after registration, Magecart pointed the domain to 217.23.4.11, which is a server that the group operates in order to receive stolen credit card information.

TechRepublic: Why 31% of data breaches lead to employees getting fired

But where would this data come from?

Newegg itself. Around the same day, the cyberattackers were able to infiltrate Newegg systems and drop payment card skimmer code into the e-retailer's checkout process.

RiskIQ says that the code was obfuscated, a common practice which has linked Magecart to similar attacks on ABS-CBN, British Airways, and Ticketmaster.

After a customer selected a product on the platform and put the item in their online shopping cart, the first step of the checkout process began, which was the validation of a physical address. The customer was then sent to a new page to begin the financial aspect of the purchase.

CNET: State Department email data breach exposes employee data

It was on this page that the malicious code set to work, whether or not a customer accessed Newegg through a desktop PC or mobile device.

"The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit," the researchers say. "Hitting that page means a customer went through the first two steps -- they would not be able to hit the checkout page without putting anything in a cart and entered a validated address."

The skimmer code contains the same base components as the code used in the British Airways data breach. However, the basecode was condensed in this case to only 15 lines of script.

screen-shot-2018-09-19-at-14-37-47.png
RiskIQ

The skimmer code was in operation for at least a month and was not removed until September 18th.

RiskIQ senior threat intelligence analyst Yonathan Klijnsma told ZDNet that Volexity disclosed the skimmer's presence to Newegg on the morning of the 18th, of which the malicious script was removed by the afternoon.

According to Similarweb, the retailer receives over 50 million visits per month. It is possible the covert operation has, therefore, snagged the data of potentially millions of Newegg customers.

"RiskIQ's automatic detections of instances of Magecart breaches pings us almost hourly," the company says. "Meanwhile, we're seeing attackers evolve and improve over time, setting their sites on breaches of large brands."

"While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers that seamlessly integrate into their targets' websites," RiskIQ added.

More Magecart coverage: Broadcaster ABS-CBN customer data stolen, sent to Russian servers | Feedify becomes latest victim of the Magecart malware campaign | British Airways breach caused by the same group that hit Ticketmaster | Ticketmaster breach was part of a larger credit card skimming effort, analysis shows |

Update 20.9, 9.10 BST: A Comodo spokesperson told ZDNet:

"An SSL certificate issued by Comodo CA to neweggstats.com, a domain involved in the attack, used a Comodo CA Domain Validation (DV) certificate.

Comodo CA has revoked the DV certificate. Comodo CA had issued the DV certificate on August 13, 2018, after following all industry standards and Baseline Requirements from the CA/Browser Forum.

While Certificate Authorities (CAs) can and must authenticate certificate requesters according to their validation level (EV, OV, or DV), they are not able to discern the intention of the certificate requester in advance of real-world use."

ZDNet has reached out to Newegg and will update if we hear back.

Previous and related coverage