Electronics retailer Newegg becomes the latest victim of Magecart
- The attackers created a lookalike domain of the Newegg, named neweggstats.com on August 13
- They even changed the IP address of the new ‘Newegg’ domain to ease the process of stealing credit card information.
Researchers from RiskIQ and Volexity have released reports on a recent attack on the online retail firm Newegg Inc. The attack had started on August 14 and was used to steal customers' credit card data.
According to the reports, the attackers created a lookalike domain of the Newegg, named neweggstats.com on August 13. A day after registration, Magecart changed the IP address of domain to 217.23.41, to ease the process of stealing credit card information.
In addition, around the same day, the attackers had managed to place payment skimmer code on Newegg systems to intercept the credit card data during the checkout process. RiskIQ stated that the code was obfuscated and contains the same base component that was used in the recent attacks on ABS-CBN, British Airways and Ticketmaster.
The hacking process is initiated when a user wishes to purchase an item from Newegg site. When the user adds the selected item into the shopping cart, then he is asked to enter the shipping address before being redirected to the payment page. The customer is then sent to a new page -- which is malicious -- to begin the payment process.
Veloxity researchers confirmed that the attack went live on Newegg’s site on August 16.
"Through its global sensors network, Volexity was able to confirm attacks via Newegg three days later on August 16, 2018," said Volexity in a blog post. "Based on data that Volexity obtained from its sensor network, it appears the code may have been added somewhere between 15:45 and 20:20 UTC. It is possible that the attackers started earlier, however, Volexity’s review of various networks with Newegg transactions earlier in the day and leading up to this time show no connections back to neweggstats.com."
The skimmer code was active for at least a month before it was removed on September 18.
Commenting on the protection against such attacks, RiskIQ researcher Yonathan Klijnsma told BleepingComputer that "Protection is very hard, mostly because they generally take any avenue they can get."
Meanwhile, the retail shop Newegg has started to notify its customers about the data breach over email.