The major electronics and computer hardware retailer Newegg has announced that attackers have compromised its online payments system, potentially scooping up buyers’ credit card data over a period of more than a month.
"Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site," the company said in a statement on Twitter.
Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site. We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted. Please check your email
— Newegg (@Newegg) September 19, 2018
According to reports by threat management outfits RiskIQ and Volexity, which jointly uncovered the breach, the data exfiltration lasted from around August 14 to September 18. The attack relied on malicious JavaScript code that was injected into the store’s payment-processing page, where customers input their credit card details.
The malicious script, which worked on both the website’s desktop and mobile versions, would then forward the data to a server (with a no-longer active domain). The domain, neweggstats.com, was designed to blend in with the legitimate newegg.com website, having been set up for that purpose – and with a valid HTTPS certificate at that – on August 13.
The attack has been attributed to a threat collective known as Magecart, which, according to RiskIQ, is also to blame for the recent breach at British Airways, as well as for the breach at Ticketmaster’s UK site.
The script, which only contains 15 lines, has been removed after RiskIQ and Volexity alerted Newegg to the compromise. While customized to steal data from the Newegg website, the script is similar to the one leveraged in the British Airways compromise, said Volexity.
It’s unclear at this point how many people have been affected. Newegg.com is the 164th most popular website in the US, according to Alexa, and it receives some 50 million visitors per month. All customers who made a purchase on the website between August 14 and September 18 should keep their eyes peeled for any suspicious activity on their bank accounts.