Newegg hit by same hacker group that targeted British Airways

Shawn Knight · Sep 19, 2018

Why it matters: Newegg is the latest online retailer to be targeted by Magecart, the data hacking group that also struck British Airways and Ticketmaster. Odds are, it probably won't be the last, either.

Computer hardware and electronics retailer Newegg has fallen victim to a data theft campaign that was nearly identical to the one recently used to swipe personal and financial data from British Airways customers.

According to cybersecurity solutions and services firm Volexity, malicious JavaScript was added to Newegg in mid-August. It appeared when moving to the billing information page during checkout where it siphoned off credit card data before sending it to the attackers over SSL / TLS via the domain neweggstats.com.

Newegg removed the offending code on September 18. The Magecart group is reportedly behind the attack according to Volexity and RiskIQ.

It’s unclear exactly how many victims were hit although considering Newegg generated $2.65 billion in revenue in 2016 and has more than 50 million visitors a month, the figure is probably pretty large.

The code used in the Newegg attack is functionally very similar to what was used against British Airways albeit more streamlined. Whereas the British Airways attack utilized 22 lines of code, the Newegg attack was carried out using just eight lines of code (or 15 if the code was “beautified”).

Anyone that shopped at Newegg over the past month is encouraged to contact their bank immediately for a replacement card.

Permalink to story.

https://www.techspot.com/news/76516-newegg-hit-same-hacker-group-targeted-british-airways.html

ShagnWagn · Sep 19, 2018

Why only the last month? Newegg feels they need to save everybody's credit card. I guess their entire database didn't get scraped? It should be illegal to store customer private credit card information.

lipe123 · Sep 19, 2018

What I don't get is how they managed to just change the websites code?!
If you run a large website like newegg don't you mark it as read only and have super tight controls over who gets to modify the code?

Evernessince · Sep 19, 2018

Good thing I only use paypal on newegg.

ComputerService · Sep 19, 2018

The 8 lines of Javascript that I've seen make me think that using a saved credit to make a purchase would not have been exposed your credit card number (during the hacked time frame).
The code only runs on your browser side - I assume that new egg does not send the saved credit card data to the browser just to have the browser reupload it, so the hackers would have only gotten your CVV (that you have to reenter) from the browser.

That's the 8 lines of Javascript - who knows what else the hackers might have done - is that it? or did they have other data exfiltration from the server itself ?

texasrattler · Sep 19, 2018

So if you haven't used newegg say in awhile, other than monitoring maybe your back account and changing the password, all good???

IAMTHESTIG · Sep 19, 2018

Yeah some of you guys missed the point, this was a JavaScript based hack which other than the fact the websites code was modified; the data is being stolen from the client side - meaning your computer. So it wouldn't matter if your card info was saved or not on Newegg's site.

This is pretty damn scary though, because their supposed "SECURE CHECKOUT" wasn't so secure as their site was maliciously modified.

Guess I better get some new credit cards now... great.

Newegg should compensate customers for this inconvenience.

cliffordcooley · Sep 19, 2018

IAMTHESTIG said:
Newegg should compensate customers for this inconvenience.

Yeah I'm sure they would send everyone a lollypop.

Wizwill · Sep 19, 2018

ShagnWagn said:
Why only the last month? Newegg feels they need to save everybody's credit card. I guess their entire database didn't get scraped? It should be illegal to store customer private credit card information.

It is in California. Unsecured credit data carries a $250,000 fine!

Godel · Sep 19, 2018

IAMTHESTIG said:
Yeah some of you guys missed the point, this was a JavaScript based hack which other than the fact the websites code was modified; the data is being stolen from the client side - meaning your computer. So it wouldn't matter if your card info was saved or not on Newegg's site.

This is pretty damn scary though, because their supposed "SECURE CHECKOUT" wasn't so secure as their site was maliciously modified.

Guess I better get some new credit cards now... great.

Newegg should compensate customers for this inconvenience.

A posting on Slashdot suggested that the data was captured as you typed it in, so a saved card may have been safe, but they may have captured your CVV number which has to be typed in.

fktech · Sep 20, 2018

So that's where my new laptop went....

IAMTHESTIG · Sep 20, 2018

cliffordcooley said:
Yeah I'm sure they would send everyone a lollypop.

Hmm, that would be insufficient.

David40 · Sep 20, 2018

If they know who did this why doesn't someone arrest them?

Darth Shiv · Sep 21, 2018

ShagnWagn said:
Why only the last month? Newegg feels they need to save everybody's credit card. I guess their entire database didn't get scraped? It should be illegal to store customer private credit card information.

Private credit card information should not be stored in the "card" value. Like how the chips work, tokens are generated for transactions. A similar system could be used for vendors. Create a token for the vendor to save rather than the original credit card info. Expire the token periodically so users regenerate tokens and so on.

You could then do cool things like bind the token to the originating domain for the transaction so even if read, the ability to use it anywhere meaningful is low.

ShagnWagn · Sep 21, 2018

Darth Shiv said:
Private credit card information should not be stored in the "card" value. Like how the chips work, tokens are generated for transactions. A similar system could be used for vendors. Create a token for the vendor to save rather than the original credit card info. Expire the token periodically so users regenerate tokens and so on.

You could then do cool things like bind the token to the originating domain for the transaction so even if read, the ability to use it anywhere meaningful is low.

I would prefer to just not store the card number at all once the transaction takes place. It only takes maybe 10 seconds to type the card number in at purchase. I need to look into a card that I can generate a single-purchase card number. I'm really surprised all credit card companies don't do this. It would drastically reduce, if not nearly eliminate, internet fraud.

Newegg hit by same hacker group that targeted British Airways

Shawn Knight

Posts: 15,307 +193

Why it matters: Newegg is the latest online retailer to be targeted by Magecart, the data hacking group that also struck British Airways and Ticketmaster. Odds are, it probably won't be the last, either.

ShagnWagn

Posts: 1,297 +1,085

lipe123

Posts: 972 +561

Evernessince

Posts: 5,469 +6,158

ComputerService

texasrattler

Posts: 1,537 +751

IAMTHESTIG

Posts: 1,868 +901

cliffordcooley

Posts: 13,141 +6,441

Wizwill

Posts: 129 +61

Godel

Posts: 344 +251

fktech

Posts: 542 +147

IAMTHESTIG

Posts: 1,868 +901

David40

Posts: 30 +3

Darth Shiv

Posts: 2,372 +889

ShagnWagn

Posts: 1,297 +1,085

Similar threads

Latest posts