The domain used by the attacker, neweggstats.com, is hosted on a server at the Dutch hosting provider WorldStream and has a certificate. The domain was registered by Namecheap on August 13, using a private registry security company in Panama. The domain’s TLS certificate was purchased by Comodo on the same day. Comodo authentication may be the most expensive part of the attackers’ infrastructure.
The NewEgg attack is one of what RiskIQ’s Klijnsma reports is a wave of attempted Mageart attacks. “Magecart attacks are recurring,” said Klijnsma, noting that “RiskIQ’s automatic detection of cases of Mageart breaches pings is almost an hour. Meanwhile, we see attackers that grow and improve over time, set their focus on the crimes of big brands.”
UPDATE, 5:08 PM ET: A spokesperson from Comodo defended the company’s certification issuance in this regard, telling Ars in an emailed statement, “Comodo CA was issued a DV certificate on August 13, 2018, after following all company standards. job and Foundation Requirements from CA / Explorer Forum. Certificate authorities (CAs) can and must certify certificate applicants according to their validation level (EV, OV, or DV), they are not able to know the intent of the certificate applicant before real-world use. “