Silvano Rebai - Fotolia
Security researchers claim the hackers behind last year's attack on British Airways, which affected 380,000 customers, also stole credit card data from online retailer Newegg using a credit card skimmer. How did the Magecart threat actors pull off this attack?
RiskIQ researchers discovered that Magecart threat actors placed a digital credit card skimmer on the Newegg website to steal credit card data from customers in plain text, as well as that the skimmer was active for a month before it was removed on Sept. 18, 2018.
The code revealed that the attackers used a jQuery.ajax method to perform an asynchronous HTTP request after Newegg customers submitted their payment. All of the delivery and payment information the customer entered on the checkout page was then sent to the attacker's server.
The URL for the page that returned the skimmer was https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx/. The digital skimmer was hidden by integrating it with the payment processing pages, and the credit card data was skimmed as plain text before it could be encrypted.
The destination URL parameter in the Magecart code was set to https://neweggstats.com/Globaldata. The threat actors used Namecheap, a domain name registrar headquartered in Los Angeles, Calif., to register the neweggstats.com domain on Aug. 12, 2018, one day before they activated the skimmer.
Likewise, the IP address for the parking host was changed to 220.127.116.11 -- and was found to have been registered in the Netherlands -- to enable a Magecart server to receive skimmed credit card information. To make their page look legitimate, the actors acquired a certificate issued for the domain by Comodo. The registration for the look-alike domain will remain active until Aug. 12, 2019.
Customers who placed an order with Newegg during the digital skimmer's active period should deactivate and replace their credit cards.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.