Newegg hacked: The new victim of Magecart malware

Share this…

A team of experts in ethical hacking analyzed this recent attack

Last September 6, a security incident compromised the personal data of thousands of British Airways customers; now, about two weeks later, the alleged actors behind the airline’s data theft seem to have found a new victim of their campaign: the electronics vendor Newegg.

Over the recent days, experts in ethical hacking published details about British Airways data theft, moments after the company made its first public announcement about the event. The attack on the airline was very selective and was done through a tactic that has been implemented and perfected for years.

The report on the British Airways attack was released shortly after it was revealed that Magecart was also behind the data breach of Ticketmaster in the mid-2018. As research continues, it is becoming clear to specialists in ethical hacking that these simple but intelligent attacks are not only devastating, but are becoming increasingly common; Newegg is only the most recent victim.

Newegg data breach shows the true reach of the group behind Magecart. These attacks are not limited to certain geographic areas or specific industries, as it has been proven that any organization that processes online payments is a potential target of this campaign. The characteristic elements of the attack on British Airways were present in the attack on Newegg, for example, they were integrated with the payment systems of the victims and were mixed with the infrastructure, staying there as long as possible.

Disguised attacks

On August 13, the group behind the campaign registered a domain called with the intention of mixing with the main domain of Newegg, Registered through Namecheap, the malicious domain initially targeted a standard host. However, the actors changed it to a day later, a Magecart crash server running the backup server of their skimmer to receive the stolen information from the payment cards. Similar to the British Airways attack, these actors acquired a certificate for the domain, thus giving it a legitimate appearance.

By then, the server was ready to an attack against customers. Around August 14, the attackers placed the skimmer in Newegg, managing to integrate it into the payment process in a very discreet way.

When a customer wants to buy a product in Newegg must follow the following steps:

  • Place the product in the shopping cart
  • Enter the delivery details and verify that they are correct
  • When a valid address is entered, the customer is redirected to the payment page, where the card data must be entered

The skimmer was placed on the payment processing page, not a script, so it would not be shown unless the payment page was integrated. Users could not access the payment page without placing anything in the car and enter a validated address.

According to experts in ethical hacking from the International Institute of Cyber Security, the first time the skimmer was activated was around August 14, being withdrawn from the website of Newegg until September 18, which means that the attackers remained on site for more than a full month; the skimmer also worked in the version of the desktop site as for the mobile version.