Newegg victim of Magecart between August 2018 to September 2018

averageguy72averageguy72 Member Posts: 323 ■■■■□□□□□□
I wouldn't normally post one of these reports but I figured some members are not primarily focused on infosec and may have not heard yet.

Looks like Newegg joins British Airways in falling victim to Magecart.

https://www.riskiq.com/blog/labs/magecart-newegg/
https://www.volexity.com/blog/2018/09/19/magecart-strikes-again-newegg/
CISSP / CCSP / CCSK / CRISC / CISM / CISA / CASP / Security+ / Network+ / A+ / CEH / eNDP / AWS Certified Advanced Networking - Specialty / AWS Certified Security - Specialty / AWS Certified DevOps Engineer - Professional / AWS Certified Solutions Architect - Professional / AWS Certified SysOps Administrator - Associate / AWS Certified Solutions Architect - Associate / AWS Certified Developer - Associate / AWS Cloud Practitioner

Comments

  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    interesting attack, I wonder if payments from customers were also processed by newegg as well. It's would become pretty apparent pretty quickly that something was wrong if customers suddenly stopped ordering anything from your website, when you had hundreds, if not thousands of transactions a day, the day before. If so, a better approach would be to either forward the payment information to the actual egghead payment server so there no indication of an issue, or some kind of randomizer that was redirect only limited number of customers per hour.
    Still searching for the corner in a round room.
  • victor.s.andreivictor.s.andrei Member Posts: 70 ■■■□□□□□□□
    TechGromit wrote: »
    interesting attack, I wonder if payments from customers were also processed by newegg as well. It's would become pretty apparent pretty quickly that something was wrong if customers suddenly stopped ordering anything from your website, when you had hundreds, if not thousands of transactions a day, the day before. If so, a better approach would be to either forward the payment information to the actual egghead payment server so there no indication of an issue, or some kind of randomizer that was redirect only limited number of customers per hour.

    NewEgg probably didn't notice because payment information was still being sent to their servers, with an extra copy being made and sent to a malicious Web server in the Netherlands. The injected malicious client-side JavaScript runs on the customer Web browser, after all - so any connections are being sent from the customer's computer. The real question is how it got injected into NewEgg's Web site in the first place. Is Magecart inside NewEgg's other systems, modifying files directly? Or has Magecart downloaded and examined legitimate NewEgg scripts, including the Active Server Page code used for the shopping cart application, found vulnerabilities, and exploited those vulnerabilities to trick NewEgg's other systems into serving up some malicious JavaScript? Or has MageCart just exploited vulnerabilities in NewEgg's systems that were present because, say, Newegg hadn't loaded a vendor patch? Or has MageCart inserted malicious JavaScript into third-party JavaScripts that were being used by Newegg - say, something on the AMEX or MasterCard networks?

    Regardless, I'm pissed. Or at least, I was, until I realized that I use PayPal with my credit card to purchase something earlier this week. It looks like the malicious script targeted credit card payments made directly through NewEgg and its own card processors, so I think I'm safe. I'm still a little pissed though, largely because successful attacks and exfiltrations of personal data from databases increasingly seem to be the norm. It doesn't matter whether it's the government (US Government OPM breach), a bank (Wells Fargo), a tech company (Amazon), or an Internet retailer (Newegg). Basically everyone is getting pwn3d these days.
    Q4 '18 Certification Goals: Cisco ICND2; JNCIA-Junos; Linux+; Palo Alto ACE

    2018-2020 Learning Goals: non-degree courses in math (Idaho, Illinois NetMath, VCU) and CS/EE (CU Boulder, CSU)
    in preparation for an application to MS Math + CS/EE dual-master's degree program at a US state school TBD by Q4'21

    To be Jedi is to face the truth...and choose.
    Give off light...or darkness, Padawan.
    Be a candle...or the night.
    (Yoda)
Sign In or Register to comment.