Silvano Rebai - Fotolia

How was a credit card skimmer used to steal data from Newegg?

Researchers believe that malicious JavaScript code was used to steal credit card data from online retailer Newegg. Learn more about this attack with Judith Myerson.

Security researchers claim the hackers behind last year's attack on British Airways, which affected 380,000 customers, also stole credit card data from online retailer Newegg using a credit card skimmer. How did the Magecart threat actors pull off this attack?

RiskIQ researchers discovered that Magecart threat actors placed a digital credit card skimmer on the Newegg website to steal credit card data from customers in plain text, as well as that the skimmer was active for a month before it was removed on Sept. 18, 2018.

In order to process and capture payment information, the threat actors inserted malicious JavaScript code into the checkout page of Newegg's website. The researchers found the credit card skimmer to be a smaller version of the one that was used in the British Airways breach. However, the actors changed the name of the form needed to serialize and obtain the payment information; serializing one form reduced the size of the skimmer to 15 lines of code, as RiskIQ discovered.

The code revealed that the attackers used a jQuery.ajax method to perform an asynchronous HTTP request after Newegg customers submitted their payment. All of the delivery and payment information the customer entered on the checkout page was then sent to the attacker's server.

The URL for the page that returned the skimmer was https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx/. The digital skimmer was hidden by integrating it with the payment processing pages, and the credit card data was skimmed as plain text before it could be encrypted.

The destination URL parameter in the Magecart code was set to https://neweggstats.com/Globaldata. The threat actors used Namecheap, a domain name registrar headquartered in Los Angeles, Calif., to register the neweggstats.com domain on Aug. 12, 2018, one day before they activated the skimmer.

Likewise, the IP address for the parking host was changed to 217.23.4.11 -- and was found to have been registered in the Netherlands -- to enable a Magecart server to receive skimmed credit card information. To make their page look legitimate, the actors acquired a certificate issued for the domain by Comodo. The registration for the look-alike domain will remain active until Aug. 12, 2019.

Customers who placed an order with Newegg during the digital skimmer's active period should deactivate and replace their credit cards.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close