Newegg victim of Magecart between August 2018 to September 2018

I wouldn't normally post one of these reports but I figured some members are not primarily focused on infosec and may have not heard yet.

Looks like Newegg joins British Airways in falling victim to Magecart.

https://www.riskiq.com/blog/labs/magecart-newegg/
https://www.volexity.com/blog/2018/09/19/magecart-strikes-again-newegg/

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

TechGromit

interesting attack, I wonder if payments from customers were also processed by newegg as well. It's would become pretty apparent pretty quickly that something was wrong if customers suddenly stopped ordering anything from your website, when you had hundreds, if not thousands of transactions a day, the day before. If so, a better approach would be to either forward the payment information to the actual egghead payment server so there no indication of an issue, or some kind of randomizer that was redirect only limited number of customers per hour.

victor.s.andrei

TechGromit wrote: »

interesting attack, I wonder if payments from customers were also processed by newegg as well. It's would become pretty apparent pretty quickly that something was wrong if customers suddenly stopped ordering anything from your website, when you had hundreds, if not thousands of transactions a day, the day before. If so, a better approach would be to either forward the payment information to the actual egghead payment server so there no indication of an issue, or some kind of randomizer that was redirect only limited number of customers per hour.

NewEgg probably didn't notice because payment information was still being sent to their servers, with an extra copy being made and sent to a malicious Web server in the Netherlands. The injected malicious client-side JavaScript runs on the customer Web browser, after all - so any connections are being sent from the customer's computer. The real question is how it got injected into NewEgg's Web site in the first place. Is Magecart inside NewEgg's other systems, modifying files directly? Or has Magecart downloaded and examined legitimate NewEgg scripts, including the Active Server Page code used for the shopping cart application, found vulnerabilities, and exploited those vulnerabilities to trick NewEgg's other systems into serving up some malicious JavaScript? Or has MageCart just exploited vulnerabilities in NewEgg's systems that were present because, say, Newegg hadn't loaded a vendor patch? Or has MageCart inserted malicious JavaScript into third-party JavaScripts that were being used by Newegg - say, something on the AMEX or MasterCard networks?

Regardless, I'm pissed. Or at least, I was, until I realized that I use PayPal with my credit card to purchase something earlier this week. It looks like the malicious script targeted credit card payments made directly through NewEgg and its own card processors, so I think I'm safe. I'm still a little pissed though, largely because successful attacks and exfiltrations of personal data from databases increasingly seem to be the norm. It doesn't matter whether it's the government (US Government OPM breach), a bank (Wells Fargo), a tech company (Amazon), or an Internet retailer (Newegg). Basically everyone is getting pwn3d these days.