NewEgg cracked in breach, hosted card-stealing code within its own checkout

Enlarge / Splat. (credit: John Liu)

The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

Details of the breach were reported by the security research firms RiskIQ (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but it appears to have been actively siphoning off payment data since August 16, according to reports from the security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are virtually identical to the attack on British Airways-while the Ticketmaster breach was caused by code injected from a third-party service provider, both the BA breach and the NewEgg attack were the result of a compromise of JavaScript libraries hosted by the companies themselves.

The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain's TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers' infrastructure.

Read 5 remaining paragraphs | Comments