Magecart Strikes Again, Siphoning Payment Info from Newegg

The incident, hard on the heels of the British Airways breach, shows that Magecart is quickly evolving and shows no signs of slowing down.

The Magecart threat actor, which just made headlines with the British Airways breach, has been racking up conquests lately and shows no signs of slowing down. This week, it added a new feather to its compromise cap: The Newegg online retailer.

Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site, according to researchers, harvesting credit-card details from online shoppers.

While the exact number of victims is not known – Threatpost has reached out to Newegg for comment – inferences can be made. “Over an entire month of skimming, we can assume this attack claimed a massive number of victims,” said the analyst team at RiskIQ in a Wednesday post.

To carry out the attack, Magecart operators first registered a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. This was meant to mimic Newegg’s primary domain, newegg.com.

“Registered through Namecheap, the malicious domain…[pointed to] a Magecart drop server where their skimmer backend runs to receive skimmed credit-card information,” RiskIQ researchers said. “At this point, the server was ready for an attack—an attack against the customers of newegg.com. Around Aug. 14, the attackers placed the skimmer code on Newegg, managing to integrate it into the checkout process and achieve their goal of disguising it well.”

The skimmer was injected into the Newegg payment processing page itself, using either compromised website details obtained via a targeted attack or perhaps with access purchased on a black market. It then set about capturing both desktop and mobile customer information.

The analysis shows that the group took the blueprint from the British Airways incident and simply repeated it.

“The skimmer code is recognizable from the British Airways incident, with the same basecode,” RiskIQ researchers explained. “All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways..the elements of the British Airways attacks were all present in the attack on Newegg: they integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible.”

There was a new improvement in the Newegg offensive, however, indicating that the actors are becoming adept at keeping code lightweight and hard to spot. “While the functionality of the script is nearly identical, it is worth noting that the attackers have managed to minimize the size of the script even more, from 22 lines of code in the British Airways attack to a mere eight lines for Newegg, 15 if the code is beautified,” explained Volexity, in a Wednesday technical analysis.

The approach was slightly different than the tack taken by Magecart in the Ticketmaster attack, because this skimmer was self-hosted and seamlessly integrated into Newegg’s website. In the Ticketmaster compromise, hackers placed a skimmer on various Ticketmaster websites through the compromise of a third-party functionality for chat known as Inbenta.

Taken together, it’s clear that the group is evolving and maturing – and highly active.

“Magecart attacks are surging – RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly,” RiskIQ researchers said. “Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large brands.”

Suggested articles