Popular computer and web retailer NewEgg has apparently been hit by the same payment data theft attacks that targeted TicketMaster UK and British Airways. The attackers, referred to by investigators as Magecart, managed to inject 15 lines of JavaScript into the NewEgg web store checkout that sent credit card and other data to a server with a domain name that made it look like part of NewEgg website infrastructure. It appears that all of the website’s transactions in the past month were affected by the breach.
The details of the breach are reported by security research agencies IQ risk (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but appears to have been working off payment data since August 16, according to reports from security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are similar to the attack on British Airways — while the Ticketmaster breach was through code injected from a third-party service provider, both the BA breach and the NewEgg attack. is the result of an agreement that JavaScript libraries are hosted by the companies themselves.
The domain used by the attacker, neweggstats.com, is hosted on a server at the Dutch hosting provider WorldStream and has a certificate. The domain was registered by Namecheap on August 13, using a private registry security company in Panama. The domain’s TLS certificate was purchased by Comodo on the same day. Comodo authentication may be the most expensive part of the attackers’ infrastructure.
Starting on August 16, the code on the NewEgg checkout page — specifically “CheckoutStep2.aspx,” the ASP.NET-based checkout page powered by the NewEgg shopping cart system — included 15 lines of JavaScript that it looks for clicking on the payment button and submits the entire form to the remote server. “The main event methods attached to the btnCreditCard button allow for all the data taken to be submitted to the specific target of the attacker when a mouse button is released, as well as when the touch screen is pressed and released,” researchers from Volexity noted. -meaning that the code allows the attack to work both for computers and mobile devices.
The NewEgg attack is one of what RiskIQ’s Klijnsma reports is a wave of attempted Mageart attacks. “Magecart attacks are recurring,” said Klijnsma, noting that “RiskIQ’s automatic detection of cases of Mageart breaches pings is almost an hour. Meanwhile, we see attackers that grow and improve over time, set their focus on the crimes of big brands.”
UPDATE, 5:08 PM ET: A spokesperson from Comodo defended the company’s certification issuance in this regard, telling Ars in an emailed statement, “Comodo CA was issued a DV certificate on August 13, 2018, after following all company standards. job and Foundation Requirements from CA / Explorer Forum. Certificate authorities (CAs) can and must certify certificate applicants according to their validation level (EV, OV, or DV), they are not able to know the intent of the certificate applicant before real-world use. “
_