By simply inserting 8 lines of code into the checkout process used by the Newegg.com website, hackers managed to steal as many as several million credit card numbers as people made payments to the electronics retail giant.
On August 13, fraudsters created the domain neweggstats.com, and, shortly thereafter, somehow obtained what appears to be a valid Comodo certificate for the domain. After doing so, they pointed the domain to 18.104.22.168, a server used to receive stolen credit card information, and inserted spyware onto the real Newegg site, causing people’s credit card information to be copied to the neweggstats.com site in real time during Newegg’s checkout process. The criminals involved were quite crafty: the spyware was not activated until the second page of the checkout process (on which Newegg asks shoppers checking out to enter payment information), helping the malicious code remain stealthy and evade detection by Newegg’s security personnel, who finally discovered and removed the malware on September 18th.
While it was live, the malicious code impacted sessions of users accessing the site from both computers and smartphones, though, as of yet, due to various constraints of mobile devices, it is unclear how many customers accessing from smartphones, if any, were actually affected.
The 8-line malicious script (15 lines if converted to an easier to read, standard format) used by the crooks to pilfer the credit card details from Newegg customers is an improved, smaller version of the code that was used to steal information recently from British Airlines and Feedify, and is named for the group behind it, Magecart, which commits its crimes by breaching vulnerable websites and targeting the sites’ users accordingly.
Newegg is estimated to receive about 50 million monthly visits, and made $2.65 billion in revenue in 2016.
In an email to customers, Newegg’s CEO, Danny Lee, said that the company has “not yet determined which customer accounts may have been affected.” That said, anyone who entered credit card information on the Newegg website since mid-August should carefully check his or her credit card transaction log, and, ideally, request a new card with a new number from the issuing bank.