{"id":13236,"date":"2018-09-20T04:32:09","date_gmt":"2018-09-20T04:32:09","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/whas-that-smell-oh-its-newegg-cracked-wide-open-by-skimmers\/"},"modified":"2018-09-20T04:32:09","modified_gmt":"2018-09-20T04:32:09","slug":"whas-that-smell-oh-its-newegg-cracked-wide-open-by-skimmers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/whas-that-smell-oh-its-newegg-cracked-wide-open-by-skimmers\/","title":{"rendered":"Wha’s that smell? Oh, it’s Newegg cracked wide open by skimmers"},"content":{"rendered":"

Netizens buying stuff from Newegg had their bank card details skimmed for a month by hackers who stashed the Magecart toolkit on the dot-com’s payment pages.<\/p>\n

From August 16 to September 18, shoppers’ sensitive card data was silently copied by the Magecart code during the site’s checkout process, and sent to neweggstats.com, which was created on August 13 by fraudsters to collect this information. The domain also had a digital certificate from Comodo to make it look nice and legit.<\/p>\n

The spyware would only appear at a certain point when completing a purchase, allowing it to evade researchers until it was finally discovered, reported, and removed on September 18. The malware was put there by miscreants compromising Newegg’s systems.<\/p>\n

And, yes, Magecart is the same malicious JavaScript toolset that was secretly deployed on Ticketmaster<\/a>‘s website to nab revelers’ card data, smuggled onto British Airways’ site and app to snoop on roughly 380,000 flight bookings<\/a>, and injected into Feedify’s libraries<\/a><\/p>\n

to compromise hundreds more e-commerce outfits.<\/a><\/p>\n

However, as infosec shop Volexity explained on Wednesday<\/a>, the miscreants who targeted Newegg shrunk the card-siphoning Magecart code from the 22 lines deployed against BA to a mere eight lines, or 15 if the code is beautified.<\/p>\n

\"Newegg<\/a><\/p>\n

Part of the attack code, specifically, the JavaScript on the checkout page to nick payment card data … Click to embiggen<\/p>\n<\/div>\n

RiskIQ, which previously investigated the BA and Ticketmaster security breaches, also noted on Wednesday<\/a> that the rest of the approach against Newegg was the same: \u201cThe elements of the British Airways attacks were all present in the attack on Newegg: they integrated with the victim\u2019s payment system and blended with the infrastructure, staying there as long as possible.\u201d<\/p>\n

Newegg confirmed its systems had been hacked to squeeze Magecart into its webpages:<\/p>\n

\n

Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site. We\u2019re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted. Please check your email<\/p>\n

\u2014 Newegg (@Newegg) September 19, 2018<\/a><\/p><\/blockquote>\n

Here’s Volexity’s analysis of the data theft process:<\/p>\n

\n

To start off the script, window.onload = function() ensures all page elements are loaded prior to execution. The (\u2018#btnCreditCard.paymentBtn.creditcard\u2019).bind(\u201cmouseup touchend\u201d portion will then bind the button btnCreditCard within the class paymentBtn.creditcard to all mouseup and touchend events with the following actions defined below:<\/p>\n