Online retailer Newegg is the latest victim of the actors behind Magecart, a financial theft group responsible for the recent breach of British Airways website and mobile application, involving about 380,000 victims.
Their latest exploit was discovered by cybersecurity firm volexity. According to researchers from the firm, they verified the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg.
The malicious code specifically appeared once when moving to the Billing Information page while checking out. The relatively small snippet of JavaScript was responsible for stealing data during checkout.
Volexity researchers believe that the Newegg website may have been compromised and actively facilitating financial theft for over a month.
A key date in the Magecart attacks against Newegg come from the registration data of the neweggstats.com domain. The domain was registered on August 13, 2018 via Namecheap. This indicates the attackers had likely already compromised the Newegg website and were preparing to launch attacks, according to the researchers.
The malicious code was removed from the Newegg website on September 18, 2018. Volexity was able to confirm the code was no longer present during the checkout process and has not returned.
While Magecart may be a major threat which eCommerce companies need to protect against, the larger issue is the increasing use of JavaScript-based Data Theft Frameworks. MageCart, as well as other criminal tools such as JS Sniffer, show how a few simple lines of JavaScript on a compromised eCommerce site can lead to a devastating amount of information being stolen.