Silvano Rebai - Fotolia
Security researchers claim the hackers behind last year's attack on British Airways, which affected 380,000 customers, also stole credit card data from online retailer Newegg using a credit card skimmer. How did the Magecart threat actors pull off this attack?
RiskIQ researchers discovered that Magecart threat actors placed a digital credit card skimmer on the Newegg website to steal credit card data from customers in plain text, as well as that the skimmer was active for a month before it was removed on Sept. 18, 2018.
The code revealed that the attackers used a jQuery.ajax method to perform an asynchronous HTTP request after Newegg customers submitted their payment. All of the delivery and payment information the customer entered on the checkout page was then sent to the attacker's server.
The URL for the page that returned the skimmer was https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx/. The digital skimmer was hidden by integrating it with the payment processing pages, and the credit card data was skimmed as plain text before it could be encrypted.
The destination URL parameter in the Magecart code was set to https://neweggstats.com/Globaldata. The threat actors used Namecheap, a domain name registrar headquartered in Los Angeles, Calif., to register the neweggstats.com domain on Aug. 12, 2018, one day before they activated the skimmer.
Likewise, the IP address for the parking host was changed to 220.127.116.11 -- and was found to have been registered in the Netherlands -- to enable a Magecart server to receive skimmed credit card information. To make their page look legitimate, the actors acquired a certificate issued for the domain by Comodo. The registration for the look-alike domain will remain active until Aug. 12, 2019.
Customers who placed an order with Newegg during the digital skimmer's active period should deactivate and replace their credit cards.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading