Security firm RiskIQ, which had also put out detailed research on the BA hack, said in a blog post that the neweggstats.com domain, intended to blend in with Newegg's primary domain, newegg.com, had been registered through domain registrar Namecheap on 13 August. Details of the Newegg hack were also released separately by another firm, Volexity, with whom RiskIQ collaborated.
Newegg's business was valued at US$2.65 billion in 2016, and Alexa's Web statistics showed that it was the 161st most popular site in the US, RiskIQ's Yonathan Klijnsma pointed out, adding that Similarweb, which monitors site visits, had Newegg down as receiving more than 50 million visits every month.
Initially pointing to a standard parking host, the Magecart operators had later changed the domain they registered to point to 188.8.131.52, a drop server they own and where the skimmer back-end runs and can accept credit card information that is skimmed.
The certificate used for the neweggstats.com site.
Like many other shopping sites, Newegg first asks a prospective customer to choose a product, then enter delivery information and, once this is validated, takes the customer through the process of entering credit card information.
The skimming code was placed on the credit card processing page, Klijnsma said, adding that the UR for the page that would return the skimmer was https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx.
He said the code was smaller, running to just 15 lines, as only one form needed to be serialised.
The actual code (above) which did the skimming was similar to that used in the case of British Airways and the only change was the name of the form and server to send the information to, theming this with Newegg this time, Klijnsma said.
"While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers that seamlessly integrate into their targets’ websites," he said.
I mean if you’re turning over $2bn and you’re an online retailer, this disclaimer probably won’t cause Magecart operators to rethink. pic.twitter.com/krYftgSoQt— Kevin Beaumont ? (@GossiTheDog) September 19, 2018
"The attack on Newegg shows that while third parties have been a problem for websites – as in the case of the Ticketmaster breach self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer."
Screenshots: courtesy RiskIQ