Newegg victim of Magecart between August 2018 to September 2018

Comments

• TechGromit Member Posts: 2,156 ■■■■■■■■■□

  September 2018

  interesting attack, I wonder if payments from customers were also processed by newegg as well. It's would become pretty apparent pretty quickly that something was wrong if customers suddenly stopped ordering anything from your website, when you had hundreds, if not thousands of transactions a day, the day before. If so, a better approach would be to either forward the payment information to the actual egghead payment server so there no indication of an issue, or some kind of randomizer that was redirect only limited number of customers per hour.

  Still searching for the corner in a round room.

  0 · Share on FacebookShare on Twitter
• victor.s.andrei Member Posts: 70 ■■■□□□□□□□

  September 2018

  TechGromit wrote: »

  interesting attack, I wonder if payments from customers were also processed by newegg as well. It's would become pretty apparent pretty quickly that something was wrong if customers suddenly stopped ordering anything from your website, when you had hundreds, if not thousands of transactions a day, the day before. If so, a better approach would be to either forward the payment information to the actual egghead payment server so there no indication of an issue, or some kind of randomizer that was redirect only limited number of customers per hour.

  
  NewEgg probably didn't notice because payment information was still being sent to their servers, with an extra copy being made and sent to a malicious Web server in the Netherlands. The injected malicious client-side JavaScript runs on the customer Web browser, after all - so any connections are being sent from the customer's computer. The real question is how it got injected into NewEgg's Web site in the first place. Is Magecart inside NewEgg's other systems, modifying files directly? Or has Magecart downloaded and examined legitimate NewEgg scripts, including the Active Server Page code used for the shopping cart application, found vulnerabilities, and exploited those vulnerabilities to trick NewEgg's other systems into serving up some malicious JavaScript? Or has MageCart just exploited vulnerabilities in NewEgg's systems that were present because, say, Newegg hadn't loaded a vendor patch? Or has MageCart inserted malicious JavaScript into third-party JavaScripts that were being used by Newegg - say, something on the AMEX or MasterCard networks?
  
  Regardless, I'm pissed. Or at least, I was, until I realized that I use PayPal with my credit card to purchase something earlier this week. It looks like the malicious script targeted credit card payments made directly through NewEgg and its own card processors, so I think I'm safe. I'm still a little pissed though, largely because successful attacks and exfiltrations of personal data from databases increasingly seem to be the norm. It doesn't matter whether it's the government (US Government OPM breach), a bank (Wells Fargo), a tech company (Amazon), or an Internet retailer (Newegg). Basically everyone is getting pwn3d these days.

  Q4 '18 Certification Goals: Cisco ICND2; JNCIA-Junos; Linux+; Palo Alto ACE
  
  2018-2020 Learning Goals: non-degree courses in math (Idaho, Illinois NetMath, VCU) and CS/EE (CU Boulder, CSU)
  in preparation for an application to MS Math + CS/EE dual-master's degree program at a US state school TBD by Q4'21
  
  To be Jedi is to face the truth...and choose.
  Give off light...or darkness, Padawan.
  Be a candle...or the night. (Yoda)

  0 · Share on FacebookShare on Twitter