The attack on the site lasted for five weeks from 14 August to 18 September. RiskIQ said that the attack bore striking similarities to the attack on British Airways and Ticketmaster, both of which it has attributed to Magecart.
Newegg is an online retailer of electronic products. Based in the US, it claims to be active in 50 countries. RiskIQ said it had a turnover of $US2.65 billion (£2 billion) in 2016 and it was ranked by Alexa as the 161st most popular site in the world. SimilarWeb estimates that the site receives more than 50 million visitors per month.
At this point, it is not clear exactly how many credit card records may have been compromised in the attack.
The attackers managed to embed 15 lines of code in Newegg.com’s payment page (httpx://secure.newegg[dot]com/GlobalShopping/CheckoutStep2.aspx). It uses the same base code as the British Airways attack apart from referencing a different form name and directing the infected payment page to send JSON data to neweggstats.com.
Neweggstats.com was registered on 13 August with Namecheap, the same registrar used to register BAways.com which was used in the British Airways attack. The attackers also purchased an SSL certificate from Comodo to lend legitimacy to their new domain, as was done in the BA attack.
RiskIQ said that around 14 August, the attackers placed their skimmer code on the Newegg servers and embed it in the payment page code. This is unlike the BA attack in which the attackers appear to have subverted a third-party script to compromise the site.
However, it doesn’t appear that Newegg had issued a statement or warned customers about the attack as of 3pm BST today.
Newegg.com has not responded to a request for comment from SC Magazine UK.