Newegg Is Latest Retailer to Be a Victim of Magecart Malware

Online retailers have increasingly come under attack in 2018 from a hacking group known as Magecart. The latest victim is allegedly online computer parts retailer Newegg, which admitted on Sept. 19 that it was breached.

Volexity Threat Research working in collaboration with RiskIQ identified the attack on Newegg. According to the two research groups, Newegg may have been breached for over a month, with attacks beginning on approximately Aug. 14. The research groups noted that the malicious code was removed from the Newegg site on Sept. 18.

“Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site,” Newegg wrote in a Twitter message. “We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted.”

Magecart has been implicated in multiple high-profile attacks in recent months, including ones on British Airways on Sept. 7 and Ticketmaster on June 27.

Volexity reported that the Magecart attackers were able to inject a few lines of malicious JavaScript code onto a webpage that is shown to consumers during the Newegg checkout process. “The malicious code specifically appeared once when moving to the Billing Information page while checking out,” Volexity researchers wrote in a blog post. This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com.”

Attackers registered the neweggstats.com domain on Aug. 13, with an SSL/TLS certificate created for the site at the same time. According to Yonathan Klijnsma, threat researcher at RiskIQ, the Magecart attackers registered the domain in an attempt to blend in with Newegg’s primary domain.

“Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page,” Klijnsma wrote in a blog post.

Newegg has not publicly stated how many customers have been impacted by the data breach. The company has sent out a letter to customers, noting that it plans on publishing a complete set of details in an FAQ page by Sept. 21. In Klijnsma’s view, given that Newegg’s site gets approximately 50 million visitors a month and that the Magecart skimmer was active for a month, there could be a “massive” number of victims.

Industry Reaction

According to Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team), the Newegg breach is an example of how Certificate Transparency (CT) logs can be a useful source for threat intelligence. With CT logs, SSL/TLS certificates are logged and presented to the public, enabling organizations to identify any misissuance. There are multiple freely available tools for checking CT logs, including the Certificate Transparency Monitoring tool from social media giant Facebook.

“In this case, the attack campaign started with the attackers setting up an HTTPS server at neweggstats.com,” Young wrote in an email to eWEEK. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”

There are several things that consumers can do to help protect themselves from being a victim of a Magecart-related attack. Leigh-Anne Galloway, cyber-security resilience lead at Positive Technologies, commented in an email to eWEEK that consumers can use the NoScript browser extension to block potentially malicious JavaScript from running. She also recommends that banks make use of 3-D Secure technology, which is a protocol-based approach that requires additional confirmation when paying.

“It’s also a good practice to connect SMS notification service so that if you see the notification of a suspicious operation, you can immediately block the card in order to avoid further fraudulent operations,” she said.