The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg’s webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg’s Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.
Details of the breach were reported by the security research firms RiskIQ (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but it appears to have been actively siphoning off payment data since August 16, according to reports from the security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are virtually identical to the attack on British Airways—while the Ticketmaster breach was caused by code injected from a third-party service provider, both the BA breach and the NewEgg attack were the result of a compromise of JavaScript libraries hosted by the companies themselves.
The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain’s TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers’ infrastructure.
-
The malicious code injected into NewEgg’s checkout process.
-
The SSL certificate for the fraudulent NewEgg domain used by Magecart attackers.
Starting on August 16, code on NewEgg’s checkout page—specifically “CheckoutStep2.aspx,” the ASP.NET-based payment page served up by NewEgg’s shopping cart system—included 15 lines of JavaScript that watched for a click on the payment button and submitted the entire form to the remote server. “The initial event methods binded to the button btnCreditCard allow for all data captured to be submitted to the attacker-specified destination when a mouse button is released, as well as when a touch screen has been pressed and released,” the researchers from Volexity noted—meaning that the code allowed the attack to work both for computers and mobile devices.
The NewEgg attack is just one in what RiskIQ’s Klijnsma reports is a wave of attempted Magecart attacks. “Magecart attacks are surging,” Klijnsma said, noting that “RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly. Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large brands.”
Update, 5:08 PM ET: A spokesperson from Comodo defended the company’s certificate issuance in this case, telling Ars in an emailed statement, “Comodo CA had issued the DV certificate on August 13, 2018, after following all industry standards and Baseline Requirements from the CA/Browser Forum. While Certificate Authorities (CAs) can and must authenticate certificate requesters according to their validation level (EV, OV, or DV), they are not able to discern the intention of the certificate requester in advance of real-world use.”
_
Be the first to comment