Newegg Magecart data breach possibly avoidable

Newegg Magecart data breach possibly avoidable
featured image

This article originally appeared in SC Magazine on September 20, 2018.

The cyber gang Magecart added another notch to its keyboard managing to infiltrate online electronics retailer Newegg with payment card skimming malware, according to two reports, with industry experts weighing in that such attacks can be avoided through higher levels of vigilance by corporate cybersecurity teams.

“Web operators should work closely with their web app developers on ensuring improperly formatted data is never inserted into the HTML content that comprises the web application. Even more important, web operators should continuously scan their websites and mobile apps for unauthorized JavaScript code.”

Magecart, which was tagged as responsible for the British Airways, Feedify and Ticketmaster breaches, was named by RiskIQ and Volexity as the actor behind this latest attack. In the Newegg case, about 15 lines of Javascript were inserted into the site’s code that skimmed payment card details off each transaction.

 

The breach was active for about a month and the research firms noted the extent the attackers went to tailor the attack to Newegg so it would not be spotted.

 

In the Newegg, British Airways and other attacks Magecourt wrote a specialized script and registered new domains that use some aspect of the victim’s name so the malware can operate inside the site undetected.

 

“Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.  This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain,” the company said.

 

RiskIQ picks up the story noting that on Aug. 13, 2018 Magecart registered a domain named neweggstats.com, which initially pointed to a benign parking host, but was quickly changed to a new IP address that brought one two a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. The same methodology was used in the British Airways attack.

 

An SSL certificate was also obtained for this site.

 

These two actions taken by Magecourt should have set off alarm bells within Newegg. Chris Young, a security researcher at Tripwire, said the creation of this domain should have been noticed while the malicious Javascript should have also served as a warning sign, said Chris Olson, CEO of The Media Trust.

 

“For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code,” Young told SC Media.

 

“Web operators should continuously scan their websites and mobile apps for unauthorized JavaScript code. Doing so will help them quickly identify malicious code so they can terminate it,” Olson said.

 

At this point, Magecart had inserted its code, only 15 lines worth, into Newegg’s checkout process, in a still unspecified manner, and was ready to start gathering info. Another indicator tying this attack to the others was the use of the same basecode.

 

“The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit. Hitting that page means a customer went through the first two steps—they would not be able to hit the checkout page without putting anything in a cart and entered a validated address,” RiskIQ wrote.

 

The first payment card was stolen on Aug. 14 and continued until the code was removed on Sept. 18, the two research firms confirmed.

 

Olson described the attacks relatively simple in design and the type that require the attacker find an element in the target site that is not checked, adding the attacks against these companies show that large corporations need to incorporate automated website vulnerability scanners and hire white hack teams who can assess web app security.

 

“Web operators should work closely with their web app developers on ensuring improperly formatted data is never inserted into the HTML content that comprises the web application. Even more important, web operators should continuously scan their websites and mobile apps for unauthorized JavaScript code,” he told SC Media.

 

The fact Newegg was directly attacked, instead of being accessed through third parties like was picked up by Matan Or-El, co-founder and CEO of Panorays.

 

“In particular, Feedify was attacked as a means of compromising the large number of e-commerce providers that rely on its technology. Clearly, we are seeing third-party attacks becoming a part of industrialized hacking, ”Or-El said.

 

SC Media contacted Newegg for a statement on the attack, but has not yet received a response.