Newegg Security Was Cracked by Hackers for Over a Month

By Nathaniel Mott
published

Going after Newegg is like personally targeting hardware enthusiasts. The online storefront has long been favored as the go-to source for components, peripherals and pretty much anything else a PC builder might want. That makes the site a good target for hackers too, and new research from Volexity and RiskIQ today shows that Newegg was, in fact, attacked by the increasingly prolific organization known as Magecart.

Magecart has been active for years. Most recently it was accused of conducting attacks on Ticketmaster and British Airways. The latter is believed to have affected 380,000 people, showing that whoever's behind Magecart isn't content with attacks on small businesses or companies with operations in the UK. The attack on Newegg supports that ideait handles large amounts of money and is based in California.

RiskIQ explained in a blog post today why the reasoning behind targeting Newegg is so significant when it comes to understanding Magecart:

"The breach of Newegg shows the true extent of Magecart operators’ reach. These attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways attacks were all present in the attack on Newegg: they integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible."

The attack itself used malicious JavaScript on the "secure.newegg.com" domain to steal financial information during the checkout process. Volexity said in a blog post today that the script waits for a page to load, allows the victim to fill out their payment info and then allows the data "to be submitted to the attacker-specified destination when a mouse button is released" or "when a touch screen has been pressed and released."

That compromised information was sent to a domain the attackers set up at "neweggstats.com" via SSL/TLS. Magecart registered the domain on August 13, and not long after, compromised Newegg's website to place the skimmer code. The researchers said the malicious JavaScript was gone from Newegg's checkout page on September 18, so the attackers were likely able to steal data from a full month's worth of transactions.

Newegg has yet to disclose the attack on its site, but the company did tweet about the attack shortly after it was made public: "Yesterday we learned one of our servers had been injected with malware which was identified and removed from our site. We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted. Please check your email."

We've reached out to Newegg for a statement about the attack and how it plans to respond. More information about how many people were affected by the attack should be discovered after Newegg looks back at its transaction history and determines whether or not everyone who bought something between August 14 and September 18 was at risk. In the meantime, keep a close eye on your bank accounts, enthusiasts.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Topics
Security
18 Comments Comment from the forums
  • rssbailey
    Hopefully they didn't know it was going on being as it was there for almost a month! I received the email from them saying I may be infected, and they are looking into it. Can say this, if my information I put on their secure site ends up costing me anything IE false charges etc. ill be contacting a lawyer!
    Reply
  • DXRick
    So they were able to put their malicious javascript thing into the code running on NewEgg's server? If hackers can access, modify, and install code running on the server (like a programmer working for the company could do), we are doomed! LoL!
    Reply
  • Mr5oh
    Even though I don't live in one of the states that was part of sales tax mess where NewEgg threw their customers under the bus, I've avoided them ever sense. Avoiding NewEgg is not always convenient, but Amazon and MicroCenter have gotten a lot more PC parts business from me. Note that I'm still paying sales tax to both those vendors too when I buy parts as well... In this case avoiding them worked out in my favor for another reason as well.
    Reply
  • knightmike
    Newegg hasn't been the same since they went public =\
    Reply
  • WINTERLORD
    i like new egg stuff happens no biggie. am wondering though if i need to be changing the debit card i usually use
    Reply
  • captaincharisma
    21334383 said:
    Hopefully they didn't know it was going on being as it was there for almost a month! I received the email from them saying I may be infected, and they are looking into it. Can say this, if my information I put on their secure site ends up costing me anything IE false charges etc. ill be contacting a lawyer!


    :lol::lol::lol:

    Reply
  • bit_user
    21334746 said:
    Even though I don't live in one of the states that was part of sales tax mess where NewEgg threw their customers under the bus
    When was this?
    Reply
  • Rexer
    This is the second time I heard it -today. They haven't sent me notice.. . yet. You think I'm worried? I buy from Newegg all the time.
    Reply
  • Joseph57
    I wrote to NE and had to ask them as to why I was not informed about their data breach, this is the reply:
    Hello Joseph

    I definitely understand your concern. However, at this time we are only notifying customers who through our internal investigation may have been affected by the data breach. We have only created a FAQ page on our website with useful information for any of our customers with concerns. I have included the link below for your convenience.

    2018 Data Security Update & FAQ
    https://kb.newegg.com/knowledge-base/2018-data-security-update-faq/

    If you need further assistance, and have additional questions, or concerns, feel free to reach out.

    Kindly

    Derek Marshall
    Public Image
    Newegg.com
    T 800.390.1119
    I would think that like most reputable places, they would inform their customers asap with out me having to ask, and I am surprised that they make no mention of providing me with security coverage like other places do, like Equifax did.
    Reply
  • Larmo-Ct
    I find this information very upsetting, because until recently. I was a big customer, and proponent of Newegg. I sourered on Newegg, when as one person mentioned here. They "Threw me under the bus", by reporting my purchasing history for a NUMBER of years. To the Tax authorities of my state, without my permission, or informing me, prior to doing it. While I will continue to purchase things from them. I definitely look elsewhere, when looking to purchase something, rather than automatically purchasing from Newegg. I don't mind having tax included in my online purchases, but I don't like being "blindsided" the way Newegg did, by "ratting me out". Lastly, I maintain a separate account for shopping online, and maintain a minimal balance. So that if my account is attacked. The thieves will only get a very small amount of money. Which my bank will reimburse me for, when they verify that the money was stolen from my account. I am extremely bothered, by the apparently nieve way, that the general public accepts Technology, for the sake of convenience. It's very convenient not to lock our doors, because we find using keys too much trouble to use. Using cash to pay for things, has become "such a burden" to many people now. They prefer to leave their money in the hands of companies and banks. That have proven that they are incapable of safeguarding their money. Governments and populations, are eagerly accepting the idea of a "cashless society". I'm sure that the criminals with the necessary skills, are rubbing their hands together, and salivating at the opportunities of the future.
    Reply