Magecart is a relatively new online exploit group that has been in the news recently for affecting British Airways, and Ticketmaster in the recent past months. This hithero-unrecognized group uses a web-based card skimmer script by injecting a precious few lines of malicious code in a website, to then steal sensitive data that customers enter in the payment sections of said affected websites. Two large digital threat management outfits, RiskIQ and Volexity, today released their reports on how Newegg was similarly affected during the time period of August 13, 2018 through September 18, 2018, and what this means to users who may have performed a transaction on the website during this period.
In particular, Newegg.com was affected when the criminals behind Magecart registed the neweggstats.com domain (now inactive) via domain provider Namecheap. As RiskIQ points out, this was soon changed to navigate to the 18.104.22.168 IP address, which is a Magecart server that was used to receive and store all collected user data from the compromise that happened since. A fake certificate was issued to add a layer of legitimacy to the domain, as seen below. Be sure to read past the break to find out more details, and also what the bottom line is for affected users.
Both agencies mention that the first time the hack was active was August 14, and the first confirmed confirmed attack took place on August 16. The manner of this compromise was identical to how Magecart affected other companies before. If anything, the attackers managed to make their code more efficient by needing only 8 lines of code here compared to the 22 lines they used with British Airways. The Volexity report, cited below, shares more technical information on how the attack works if you were so interested. The malicious code was removed on September 18, after Newegg received word of it and took some action. The company has since put out a short statement on social media acknowledging the attack, with more relevant details sent out to potentially affected users. If you or anyone you know received this email, please share it with us so we may update this story accordingly.
[Update: September 19, 2018- TechPowerUp member xkm1948 was kind enough to share a screenshot of the email he received from Newegg, which can be seen below]