Newegg hit by payment detail breach, researchers claim

September 19, 2018 // 1:59 p.m.

Tags: #breach #card-verification-value #credit-card #cvv #insecurity #magecart #payment-details #security #yonathan-klijnsma

Companies: #british-airways #newegg #riskiq #volexity

Researchers have claimed that US computing retailer Newegg has suffered a data breach, likely from the same attackers responsible for the breach in British Airways' payment system earlier this month, resulting in the theft of payment card details.

The breach in British Airways' payment system was reported by its parent company International Airlines Group (IAG) earlier this month, admitting that an attack on its web server had resulted in all payment details - including the card verification value (CVV) digits from the rear of the card, a security measure designed to prevent abuse of stolen stored card details - over a two-week period being obtained by attackers unknown. Now, researchers responsible for analysing the original attack and identifying it as a customised variant of the Magecart malware are back with the claim that Newegg has become the next victim - and had the malware on its site for a month.

'On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com,' reads a report by Yonathan Klijnsma of RiskIQ, which worked with Volexity on its analysis of the attack. 'Registered through Namecheap, the malicious domain initially pointed to a standard parking host. However, the actors changed it to 217.23.4.11 a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. At this point, the server was ready for an attack—an attack against the customers of newegg.com. Around August 14th, the attackers placed the skimmer code on Newegg, managing to integrate it into the checkout process and achieve their goal of disguising it well.'

'The JavaScript leveraged in this attack is very similar to that observed from the British Airways compromise,' Volexity's own report reads. 'The code in this case is customized to work with the Newegg website and send data to a different domain the attackers created in an attempt to blend in with the website. While the functionality of the script is nearly identical, it is worth noting that the attackers have managed to minimize the size of the script even more, from 22 lines of code in the British Airways attack to a mere 8 lines for Newegg, 15 if the code is beautified.'

Unlike BA, however, Newegg had not yet issued a statement on the breach by the time the issue went public - though it appears to have removed the malicious code from its site. Customers of Newegg, which launched a UK site back in 2014, can expect to be contacted in the coming days.


Discuss this in the forums

QUICK COMMENT

bit-tech Mod of the Year 2018 in Association with Corsair - Nominate Your Favourite Mods!

Week in review

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU