This article originally appeared in SC Magazine on September 20, 2018.
The cyber gang Magecart added another notch to its keyboard managing to infiltrate online electronics retailer Newegg with payment card skimming malware, according to two reports, with industry experts weighing in that such attacks can be avoided through higher levels of vigilance by corporate cybersecurity teams.
The breach was active for about a month and the research firms noted the extent the attackers went to tailor the attack to Newegg so it would not be spotted.
In the Newegg, British Airways and other attacks Magecourt wrote a specialized script and registered new domains that use some aspect of the victim’s name so the malware can operate inside the site undetected.
RiskIQ picks up the story noting that on Aug. 13, 2018 Magecart registered a domain named neweggstats.com, which initially pointed to a benign parking host, but was quickly changed to a new IP address that brought one two a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. The same methodology was used in the British Airways attack.
An SSL certificate was also obtained for this site.
“For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code,” Young told SC Media.
At this point, Magecart had inserted its code, only 15 lines worth, into Newegg’s checkout process, in a still unspecified manner, and was ready to start gathering info. Another indicator tying this attack to the others was the use of the same basecode.
“The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit. Hitting that page means a customer went through the first two steps—they would not be able to hit the checkout page without putting anything in a cart and entered a validated address,” RiskIQ wrote.
The first payment card was stolen on Aug. 14 and continued until the code was removed on Sept. 18, the two research firms confirmed.
Olson described the attacks relatively simple in design and the type that require the attacker find an element in the target site that is not checked, adding the attacks against these companies show that large corporations need to incorporate automated website vulnerability scanners and hire white hack teams who can assess web app security.
The fact Newegg was directly attacked, instead of being accessed through third parties like was picked up by Matan Or-El, co-founder and CEO of Panorays.
“In particular, Feedify was attacked as a means of compromising the large number of e-commerce providers that rely on its technology. Clearly, we are seeing third-party attacks becoming a part of industrialized hacking, ”Or-El said.
SC Media contacted Newegg for a statement on the attack, but has not yet received a response.