1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Newegg hit by same hacker group that targeted British Airways

By Shawn Knight · 14 replies
Sep 19, 2018
Post New Reply
  1. Computer hardware and electronics retailer Newegg has fallen victim to a data theft campaign that was nearly identical to the one recently used to swipe personal and financial data from British Airways customers.

    According to cybersecurity solutions and services firm Volexity, malicious JavaScript was added to Newegg in mid-August. It appeared when moving to the billing information page during checkout where it siphoned off credit card data before sending it to the attackers over SSL / TLS via the domain neweggstats.com.

    Newegg removed the offending code on September 18. The Magecart group is reportedly behind the attack according to Volexity and RiskIQ.

    It’s unclear exactly how many victims were hit although considering Newegg generated $2.65 billion in revenue in 2016 and has more than 50 million visitors a month, the figure is probably pretty large.

    The code used in the Newegg attack is functionally very similar to what was used against British Airways albeit more streamlined. Whereas the British Airways attack utilized 22 lines of code, the Newegg attack was carried out using just eight lines of code (or 15 if the code was “beautified”).

    Anyone that shopped at Newegg over the past month is encouraged to contact their bank immediately for a replacement card.

    Permalink to story.

  2. ShagnWagn

    ShagnWagn TS Guru Posts: 722   +559

    Why only the last month? Newegg feels they need to save everybody's credit card. I guess their entire database didn't get scraped? It should be illegal to store customer private credit card information.
  3. lipe123

    lipe123 TS Evangelist Posts: 799   +332

    What I don't get is how they managed to just change the websites code?!
    If you run a large website like newegg don't you mark it as read only and have super tight controls over who gets to modify the code?
  4. Evernessince

    Evernessince TS Evangelist Posts: 3,991   +3,479

    Good thing I only use paypal on newegg.
  5. ComputerService

    ComputerService TS Rookie

    The 8 lines of Javascript that I've seen make me think that using a saved credit to make a purchase would not have been exposed your credit card number (during the hacked time frame).
    The code only runs on your browser side - I assume that new egg does not send the saved credit card data to the browser just to have the browser reupload it, so the hackers would have only gotten your CVV (that you have to reenter) from the browser.

    That's the 8 lines of Javascript - who knows what else the hackers might have done - is that it? or did they have other data exfiltration from the server itself ?
    IAMTHESTIG likes this.
  6. texasrattler

    texasrattler TS Evangelist Posts: 713   +284

    So if you haven't used newegg say in awhile, other than monitoring maybe your back account and changing the password, all good???

    IAMTHESTIG TS Evangelist Posts: 1,720   +805

    Yeah some of you guys missed the point, this was a JavaScript based hack which other than the fact the websites code was modified; the data is being stolen from the client side - meaning your computer. So it wouldn't matter if your card info was saved or not on Newegg's site.

    This is pretty damn scary though, because their supposed "SECURE CHECKOUT" wasn't so secure as their site was maliciously modified.

    Guess I better get some new credit cards now... great.

    Newegg should compensate customers for this inconvenience.
    BMAN61 likes this.
  8. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,364   +5,001

    Yeah I'm sure they would send everyone a lollypop.
  9. Wizwill

    Wizwill TS Booster Posts: 101   +48

    It is in California. Unsecured credit data carries a $250,000 fine!
  10. Godel

    Godel TS Addict Posts: 173   +88

    A posting on Slashdot suggested that the data was captured as you typed it in, so a saved card may have been safe, but they may have captured your CVV number which has to be typed in.
  11. fktech

    fktech TS Maniac Posts: 526   +138

    So that's where my new laptop went....

    IAMTHESTIG TS Evangelist Posts: 1,720   +805

    Hmm, that would be insufficient. ;)
  13. David40

    David40 TS Member Posts: 29

    If they know who did this why doesn't someone arrest them?
  14. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,962   +577

    Private credit card information should not be stored in the "card" value. Like how the chips work, tokens are generated for transactions. A similar system could be used for vendors. Create a token for the vendor to save rather than the original credit card info. Expire the token periodically so users regenerate tokens and so on.

    You could then do cool things like bind the token to the originating domain for the transaction so even if read, the ability to use it anywhere meaningful is low.
  15. ShagnWagn

    ShagnWagn TS Guru Posts: 722   +559

    I would prefer to just not store the card number at all once the transaction takes place. It only takes maybe 10 seconds to type the card number in at purchase. I need to look into a card that I can generate a single-purchase card number. I'm really surprised all credit card companies don't do this. It would drastically reduce, if not nearly eliminate, internet fraud.
    Last edited: Sep 21, 2018

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...