Two reports released today by RisqIQ and Volexity detail how the MageCart script has been injected into the Newegg site for a little over a month while quietly stealing customer's payment information.
According to the reports, the attackers created a domain called neweggstats.com on August 13th. This domain was used as a drop site that collected credit card details stolen from Newegg's site. Veloxity further stated that the attacks then went live on Newegg's site around August 16th.
"Through its global sensors network, Volexity was able to confirm attacks via Newegg three days later on August 16, 2018," Veloxity stated in their report. "Based on data that Volexity obtained from its sensor network, it appears the code may have been added somewhere between 15:45 and 20:20 UTC. It is possible that the attackers started earlier, however, Volexity’s review of various networks with Newegg transactions earlier in the day and leading up to this time show no connections back to neweggstats.com."
As Newegg is one of the largest online retailers of technology components, computers, and hardware, the amount of victims affected by this breach can be quite large.
"With the size of the business evaluated at $2.65 billion in 2016, Newegg is an extremely popular retailer," security researcher Yonathan Klijnsma stated in RiskIQ blog post about this attack. "Alexa shows that Newegg has the 161st most popular site in the U.S. and Similarweb, which also gathers information on site visits, estimates Newegg receives over 50 million visitors a month. Over an entire month of skimming, we can assume this attack claimed a massive number of victims."
When users purchase an item at Newegg they are asked to enter their shipping information and then continue to a second page where they enter their payment information. On this second page of the checkout process, where Newegg collects payment information from the customer, the 15 line MageCart script shown below was injected.
When the page loads, the script would bind itself to the button that users press after entering their credit card details. When this button is pressed, the script will take the content of the form, convert it to JSON, and then upload it to the https://neweggstats.com/GlobalData/ web page.
This neweggstats.com site, though, is not owned by Newegg, but is instead operated by the attackers. This allowed them to steal the credit card details from the customers who purchased items from Newegg during the month that the site was hacked.
To the user, though, they would just have continued with their purchase as if nothing had happened.
With the increasing use of scripts like MageCart to steal credit card details, Bleeping Computer asked RiskIQ researcher Yonathan Klijnsma how e-commerce site operators can better protect themselves from these types of malicious scripts.
Klijnsma told BleepingComputer that "Protection is very hard, mostly because they generically take any avenue they can get."
With that said, Klijnsma tweeted about some ways to configure your payment form and submission process to make it more difficult for scripts like MageCart to steal payment details.
A very simple defense against #magecart to make it harder for them to pull out your customer's payment data:— Yonathan Klijnsma (@ydklijnsma) September 19, 2018
Randomize the form and input field names/IDs. Map them back using session information on your server when you process checkout.
Newegg has started to send their customers an email apologizing for the breach and explaining what has happened. According to the email sent by Newegg Danny Lee, the company will create a FAQ regarding this breach and post it on their web site by Friday.
The full text of the email being sent to Newegg customers is below:
Dear Customer, Yesterday, we learned one of our servers had been injected with malware which may have allowed some of your information to be acquired by a third party. The malware was quite sophisticated and we are conducting extensinve research to determine exactly what information may have been acquired or accessed and how many customers may have been impacted. We will keep you up to date with our progress and work to ensure this doesn't happen again. The malware is no longer on our site and we will be doing our best to bring the culprits to justice. We have not yet determined which customer accounts may have been affected, but out of an abundance of caution we are alerting those accounts at risk as soon as possible so that they can keep an eye on their accounts for any suspicious activity. We hope by alerting you quickly to help prevent any misuse of information that may have been acquired or accessed. By Friday, we will publish an FAQ that will answer common questions we get; we will send you a link as soon as it goes live. We will also publish the link on our social media platforms. We want to make sure you are completely informed. We are very sorry circumstances have warranted this message. We are working diligently to address this issue and will provide additional information to you shortly. Sincerely, Danny Lee, CEO Newegg
Bleeping Computer has contacted Newegg for more information about this attack and the amount of affected customers, but had not heard back by the time of this publication.