NewEgg cracked in breach, hosted card-stealing code within its own checkout

https://arstechnica.com/information-technology/2018/09/newegg-hit-by-credit-card-stealing-code-injected-into-shopping-code/


The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

Details of the breach were reported by the security research firms RiskIQ (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but it appears to have been actively siphoning off payment data since August 16, according to reports from the security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are virtually identical to the attack on British Airways—while the Ticketmaster breach was caused by code injected from a third-party service provider, both the BA breach and the NewEgg attack were the result of a compromise of JavaScript libraries hosted by the companies themselves.

The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain's TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers' infrastructure.

Starting on August 16, code on NewEgg's checkout page—specifically "CheckoutStep2.aspx," the ASP.NET-based payment page served up by NewEgg's shopping cart system—included 15 lines of JavaScript that watched for a click on the payment button and submitted the entire form to the remote server. "The initial event methods binded to the button btnCreditCard allow for all data captured to be submitted to the attacker-specified destination when a mouse button is released, as well as when a touch screen has been pressed and released," the researchers from Volexity noted—meaning that the code allowed the attack to work both for computers and mobile devices.

*end of excerpt*

Oh God....I hope I hope I wasn't affected. Off to newegg.com I go.

eta: Phew I'm safe, my last order was ONE day before the attack.