Online Retailer Newegg Hit by Magecart Card Skimming Gang

The same attackers believed to be responsible for the recent breach of British Airways customer payment data have injected card skimming code into the site of U.S. online retailer

The code was identified by researchers from security firms Volexity and RiskIQ in a joint investigation and was removed from the site Sept. 18, when the two companies privately shared their findings with the retailer.

“Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site,” Newegg announced on Twitter. “We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted.”

According to Volexity and RiskIQ, the malicious snippet of code is very similar to the one found on BA’s website but has been specifically customized for Newegg’s platform. In fact, evidence suggests that Newegg was compromised before BA, the code appearing on the retailer’s website Aug. 14.

“The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit,” the RiskIQ researchers said in a report.

The payment processing page is the place where customers enter their payment card details after they go through the previous steps of adding products in their carts and entering their delivery addresses for validation.

As in the BA case, the malicious skimming code collected all information entered into the payment form, serialized it and sent it to a domain name called that was registered by the attackers Aug. 13. Also, as in the BA attack, the malicious code was triggered for both desktop and mobile users.

The attackers used a valid TLS certificate on their domain so the data could be siphoned off over HTTPS, most likely to avoid triggering mixed-content warnings on Newegg’s own website.

Newegg and BA are just the latest in a long string of companies that have fallen victim to this hacker group, which is known in the security industry as Magecart. Other high-profile companies hit by the gang in recent months include Ticketmaster UK, Feedify and Filipino broadcaster ABS-CBN.

“Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly,” RiskIQ said. “Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large brands. While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers that seamlessly integrate into their targets’ websites.”

Newegg has not yet confirmed that payment card details have been compromised in this attack, but giving where the code was planted, what it was designed to do and the group’s previous success on BA’s website—380,000 compromised transactions—it’s likely that the impact will be similar.

Magecart is only not the only group using JavaScript-based card skimming code. A researcher reported recently that another group dubbed MagentoCore managed to compromise more than 7,000 Magento-based online shops in this manner, some belonging to multi-million dollar brands.

“While Magecart may be a major threat which eCommerce companies need to protect against, the larger issue is the increasing use of JavaScript-based Data Theft Frameworks,” Volexity warned in its report. “MageCart, as well as other criminal tools such as JS Sniffer, show how a few simple lines of JavaScript on a compromised eCommerce site can lead to a devastating amount of information being stolen.”

Adobe Patches Critical Vulnerabilities in Reader and Acrobat

Adobe Systems has released new security updates for its Reader and Acrobat products, fixing seven vulnerabilities that are rated critical and important.

Only one flaw, tracked as CVE-2018-12848, is rated critical and was reported by Omri Herscovici, a vulnerability researcher with Check Point Software Technologies. The vulnerability is an out-of-bounds write that can lead to arbitrary code execution.

The other six flaws are out-of-bound reads and can lead to information disclosure. They are rated as important because they can potentially be chained together with other vulnerabilities to enable exploits.

Adobe advises users to upgrade to Acrobat and Reader DC 2018.011.20063, if they are on the “continuous” track, Acrobat and Reader DC Classic 2017 2017.011.30102 or Acrobat and Reader DC Classic 2015 2015.006.30452.

Lucian Constantin

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Sponsorships Available Unlike ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin