In the latest in a long stream of data breaches, Newegg has reported that it has been the victim of thieves who stole customers’ credit card information over a period of one month.
Hackers were able to inject 15 lines of card skimming code onto Newegg’s payments page. The code remained on the website from August 14 to September 18. This code siphoned credit card information from customers and directed it to the hacker’s server with a similar name to fool consumers. The server also used an HTTPS certificate to avoid detection.
The e-commerce giant removed the code from its payment page after it was informed by Volexity, an incident response firm that detected the malware.
Newegg is still unsure how many customers were affected by the breach. There are nearly 45 million unique monthly visitors to the website every month. In 2016, the company reported revenue of $2.65 billion.
The data breach was very similar to several recent high-profile attacks, including the British Airways breach and the Ticketmaster breach. All three breaches have been attributed to the Magecart group, a hacker collective. Even the code used in the attacks was almost identical.
In the case of British Airways, nearly 380,000 customers had their information stolen, including credit card information, names, mailing addresses, and email addresses. That breach affected booked flight transactions between August 21 and September 5 although no travel information or passport data was stolen.
The Ticketmaster breach was found to be part of a much larger scheme, according to security firm RiskIQ, which identified about 800 victim e-commerce websites. In this case, hackers penetrated InBenta Technologies, which works with Ticketmaster. The Ticketmaster website itself wasn’t breached. The Magecart hackers were able to access payment information and use this strategy on hundreds of other websites. Rather than attacking an individual website, the hackers found it was easier to compromise the third-party suppliers of scripts to add a skimmer.
These attacks show that any business that uses payment processing can be a target, regardless of size, industry, or location. Each data breach demonstrated a sophisticated approach that integrated with the victim’s payment processing system and blended with the website infrastructure to remain undetected for as long as possible.