Wednesday, September 19th 2018

Newegg Compromised by Magecart Assault; Potential Data Theft for Over a Month

Magecart is a relatively new online exploit group that has been in the news recently for affecting British Airways, and Ticketmaster in the recent past months. This hithero-unrecognized group uses a web-based card skimmer script by injecting a precious few lines of malicious code in a website, to then steal sensitive data that customers enter in the payment sections of said affected websites. Two large digital threat management outfits, RiskIQ and Volexity, today released their reports on how Newegg was similarly affected during the time period of August 13, 2018 through September 18, 2018, and what this means to users who may have performed a transaction on the website during this period.

In particular, Newegg.com was affected when the criminals behind Magecart registed the neweggstats.com domain (now inactive) via domain provider Namecheap. As RiskIQ points out, this was soon changed to navigate to the 217.23.4.11 IP address, which is a Magecart server that was used to receive and store all collected user data from the compromise that happened since. A fake certificate was issued to add a layer of legitimacy to the domain, as seen below. Be sure to read past the break to find out more details, and also what the bottom line is for affected users.
Voletix at this point was able to spot malicious JavaScript code limited to the secure.newegg.com page, which presented itself during the checkout stage of transactions done on Newegg. This code, seen below, only appeared once- during the billing information section- but was enough to collect user data including name, address, and also payment details which was then sent over to the drop server mentioned above.
Both agencies mention that the first time the hack was active was August 14, and the first confirmed confirmed attack took place on August 16. The manner of this compromise was identical to how Magecart affected other companies before. If anything, the attackers managed to make their code more efficient by needing only 8 lines of code here compared to the 22 lines they used with British Airways. The Volexity report, cited below, shares more technical information on how the attack works if you were so interested. The malicious code was removed on September 18, after Newegg received word of it and took some action. The company has since put out a short statement on social media acknowledging the attack, with more relevant details sent out to potentially affected users. If you or anyone you know received this email, please share it with us so we may update this story accordingly.
As it stands, this web-based skimmer was active for over a month and worked on both the desktop and mobile websites. There is no word yet on whether the Newegg mobile apps were similarly affected. This is certainly not good news to anyone, especially at a time when new hardware may have resulted in transactions in the affected period. Newegg is a giant e-tailer in the PC DIY industry, with over 50 million monthly visits. Both RiskIQ and Volexity warn that every one who has had a transaction on the website in the affected time period should keep an eye on their credit report (if appropriate), and work on re-issuing the form of payment used for said transaction(s). For example, if you used a credit card then talk to you bank to get that cancelled and have them issue you a new card as soon as possible. Magecart, as with other JavaScript-based criminal tools, are showing no signs of slowing down given the relatively simple attack strategy, and hopefully not many of us end up victims.

[Update: September 19, 2018- TechPowerUp member xkm1948 was kind enough to share a screenshot of the email he received from Newegg, which can be seen below]
Sources: RiskIQ, Volexity
Add your own comment

21 Comments on Newegg Compromised by Magecart Assault; Potential Data Theft for Over a Month

#1
xkm1948
I received the email. I have been buying components during this time period for a new build. So far I haven’t noticed any strange activities on my CC. Called CC issuer this afternoon and replacement card is already on the way.
Posted on Reply
#2
FreedomEclipse
~Technological Technocrat~
Hopefully the cops can dig deep and find out where all the details were being sent or who was accessing the data.
Posted on Reply
#3
VSG
Editor, Reviews & News
xkm1948, post: 3907286, member: 50521"
I received the email. I have been buying components during this time period for a new build. So far I haven’t noticed any strange activities on my CC. Called CC issuer this afternoon and replacement card is already on the way.
Do you mind sharing a screenshot of that email, after having removed your personal details of course?
Posted on Reply
#4
newtekie1
Semi-Retired Folder
I made several orders in that time frame, but no email yet.
Posted on Reply
#6
VSG
Editor, Reviews & News
xkm1948, post: 3907305, member: 50521"

Thanks a lot!
Posted on Reply
#7
Aquinus
Resident Wat-man
I haven't ordered anything off NewEgg for years. I used to use them all the time but, then this whole "family" thing happened and I suddenly couldn't buy components all the time anymore. :rolleyes:
Posted on Reply
#8
Norton
Moderator & WCG-TPU Captain
newtekie1, post: 3907300, member: 20670"
I made several orders in that time frame, but no email yet.
I didn't have any orders within that time either but I did get a notice from my bank earlier today about a data breach somewhere and getting my card replaced. Don't think I saved my card there though since I tend not to do that..
Posted on Reply
#9
MrGenius
PayPal. Always PayPal. I can't remember the last time I used my debit/credit card for anything(other than for getting cash out of the ATM).
Posted on Reply
#10
Athlonite
Norton, post: 3907323, member: 101332"
I didn't have any orders within that time either but I did get a notice from my bank earlier today about a data breach somewhere and getting my card replaced. Don't think I saved my card there though since I tend not to do that..
Apparently it used similar technology as a card skimmer to read what you input so whether you saved your details or not doesn't help, if you used your CC in the time period mentioned chances are they have your CC details.
Posted on Reply
#11
yotano211
I use gift cards for most online orders under $500, I get them for free at my bank. Any unspent funds I use for everyday stuff.
Posted on Reply
#12
TheOne
Bought a few things over the month, so far no email.
Posted on Reply
#13
StrayKAT
Online commerce... not the improvement it was touted as, for sure.

Since when did you ever hear of this crap 30 years ago? Or see a cottage industry of "Anti-Identity Theft" companies? And whatnot.
Posted on Reply
#14
TheOne
I don't know if it would have made a difference, but maybe I should use Kaspersky's Safe Banking.

Also CM Hyper T2 or AMD Wraith Stealth?
Posted on Reply
#15
Ahhzz
Very glad I haven't bought anything there for years now....
Posted on Reply
#16
DeathtoGnomes
Used to be a loyal customer of newegg for over a decade, after they jacked vega prices and saw hugely inflated prices in other places, I no longer buy from @Newegg. Glad I dont or I might have this headache to deal with.

Dont take chances get a new CC and change your password there ASAP.
Posted on Reply
#17
newtekie1
Semi-Retired Folder
Athlonite, post: 3907340, member: 80893"
Apparently it used similar technology as a card skimmer to read what you input so whether you saved your details or not doesn't help, if you used your CC in the time period mentioned chances are they have your CC details.
Yep, ironically I think saved cards are actually safe from this attack.
Posted on Reply
#18
Caring1
New import taxes and high prices from the Australian Newegg stop me from buying there.
Posted on Reply
#19
RejZoR
Athlonite, post: 3907340, member: 80893"
Apparently it used similar technology as a card skimmer to read what you input so whether you saved your details or not doesn't help, if you used your CC in the time period mentioned chances are they have your CC details.
I don't know for the rest of the world, but when I'm paying with MasterCard directly (rarely), I get MasterCard verification dialog where my bank sends me a SMS with verification code which I then enter. Meaning, without SMS verification, it's impossible to make a purchase even if they have entire card number and CC verification code from it. But I generally stick with PayPal as it's much more secure in this regard.
Posted on Reply
#21
Bones
Got things checked and dealt with this morning, nothing suspicious seen and the cards have been replaced.
Posted on Reply
Add your own comment