It appears that MageCart strikes again, but this time the target was a popular electronics retails store online which is Newegg. MageCart previously was behind the breach of British Airlines and Feedify. It was reported that MageCart has been stealing payment information from credit card/s for over a month since it was injected according to reports by RisqIQ and Volexity.
The modus included a domain named neweggstats.com specifically created to send to stolen information from the infected Newegg site. It was all about timing, the creation of the domain appears to be 3 days dormant before it became active on the 16th of August.
Since the breach was discovered a few days ago by looking at this screenshot below it appears that the domain is still not yet suspended despite the offense that it caused.
That looks alarming because the domain can be reused for spam, scam and more phishing attacks considering the breach that already happened.
How did it happen?
It appears that Mage script has been injected within the site on the page where the user enters their payment information. The script binds itself to the action button of the page where after the credit card info has been entered, once the button is pressed it will take the information from the page and then convert the data to JSON and transmit the sniffed data to https://neweggstats.com/GlobalData/
Protecting Credit Card Forms from Magecart
It is undeniable that scripts used to steal credit card information online and devices to hack POS are rampant, but the increase in online carding scripts is alarming. So how do we protect our online forms?
According to the site Bleeping Computer’s interview with Yonathan Klijnsma who is a security expert that protection is hard, because attackers will try to force their way in any avenues available.
Therefore he tweeted on how to configure payment forms and submission functions to make it difficult for scripts like MageCart to sniff out data from your site especially payment details.
<blockquote class=”twitter-tweet” data-lang=”en”><p lang=”en” dir=”ltr”>A very simple defense against <a href=”https://twitter.com/hashtag/magecart?src=hash&ref_src=twsrc%5Etfw”>#magecart</a> to make it harder for them to pull out your customer's payment data: <br><br>Randomize the form and input field names/IDs. Map them back using session information on your server when you process checkout.</p>— Yonathan Klijnsma (@ydklijnsma) <a href=”https://twitter.com/ydklijnsma/status/1042463653121814528?ref_src=twsrc%5Etfw”>September 19, 2018</a></blockquote>
<script async src=”https://platform.twitter.com/widgets.js” charset=”utf-8″></script>