Online retailers have increasingly come under attack in 2018 from a hacking group known as Magecart. The latest victim is allegedly online computer parts retailer Newegg, which admitted on Sept. 19 that it was breached.
Volexity Threat Research working in collaboration with RiskIQ identified the attack on Newegg. According to the two research groups, Newegg may have been breached for over a month, with attacks beginning on approximately Aug. 14. The research groups noted that the malicious code was removed from the Newegg site on Sept. 18.
“Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site,” Newegg wrote in a Twitter message. “We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted.”
Attackers registered the neweggstats.com domain on Aug. 13, with an SSL/TLS certificate created for the site at the same time. According to Yonathan Klijnsma, threat researcher at RiskIQ, the Magecart attackers registered the domain in an attempt to blend in with Newegg’s primary domain.
“Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page,” Klijnsma wrote in a blog post.
Newegg has not publicly stated how many customers have been impacted by the data breach. The company has sent out a letter to customers, noting that it plans on publishing a complete set of details in an FAQ page by Sept. 21. In Klijnsma’s view, given that Newegg’s site gets approximately 50 million visitors a month and that the Magecart skimmer was active for a month, there could be a “massive” number of victims.
According to Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team), the Newegg breach is an example of how Certificate Transparency (CT) logs can be a useful source for threat intelligence. With CT logs, SSL/TLS certificates are logged and presented to the public, enabling organizations to identify any misissuance. There are multiple freely available tools for checking CT logs, including the Certificate Transparency Monitoring tool from social media giant Facebook.
“In this case, the attack campaign started with the attackers setting up an HTTPS server at neweggstats.com,” Young wrote in an email to eWEEK. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”
“It’s also a good practice to connect SMS notification service so that if you see the notification of a suspicious operation, you can immediately block the card in order to avoid further fraudulent operations,” she said.