{"id":7441,"date":"2018-09-19T17:14:40","date_gmt":"2018-09-19T21:14:40","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=7441"},"modified":"2020-08-25T10:18:28","modified_gmt":"2020-08-25T14:18:28","slug":"magecart-newegg-breach","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/magecart-newegg-breach\/","title":{"rendered":"Magecart: Javascript Injection used to breach Newegg, steal PCI"},"content":{"rendered":"

Magecart, the same group that stole 380,000 records from British Airways, strikes again…<\/h2>\n

Today we\u2019re going to talk about the sophisticated group of hackers behind Magecart.<\/p>\n

But first, cybercrime has never been more rampant. We say that so much that at this point it\u2019s become more of a platitude than a warning. But it\u2019s true. 1.4 million phishing sites are created every month<\/a>. In 2017, 90% of Enterprise businesses and 74% of SMBs reported being attacked<\/a>. Cybercrime is a $1.5 trillion dollar industry<\/a>.<\/p>\n

\"year<\/p>\n

Groups like the one behind Magecart are making a small fortune<\/a> by injecting Javascript that steals Personal Data and Payment Card Information (PCI). Today we\u2019re going to talk about what Magecart is, how it\u2019s evolving and what exactly makes it so sophisticated in the first place.<\/p>\n

So, how did Magecart attack Newegg for over a month without anyone noticing?<\/p>\n

Let\u2019s hash it out\u2026<\/span><\/p>\n

\"Magecart\"What is Magecart?<\/h2>\n

Let\u2019s start with discussing card skimming, because the concept is going to be illuminating once we get into what Magecart does. A card skimmer is traditionally just a device that scans and stores payment card information. They can be used to exploit ATMs, gas pumps or pretty much any machine that accepts credit or debit cards.<\/p>\n

Magecart has taken that concept digital.<\/p>\n

RiskIQ has been tracking the group behind Magecart since 2015<\/a>. There seems to be a little disagreement on nomenclature. RiskIQ refers to the group itself as Magecart, Volexity<\/a> \u2013 the group that discovered the Newegg breach \u2013 refers to Magecart as the attack and references the group behind it. For the sake of clarity, we\u2019re going to refer to the group as Magecart moving forward.<\/p>\n<\/span><\/span>\n

Magecart has been ramping up its attacks over the course of 2018. It uses a tactic similar to Cross Site Scripting (XSS), injecting malicious javascript that sends stolen data to an external server via an HTTPS connection (the big difference is the method of injection, conceptually the same thing is accomplished though). Back in June, the group was able to compromise Inbenta<\/a>, a Ticketmaster partner, and steal information from Ticketmaster International (specifically in Ireland, Turkey, New Zealand and Australia), Ticketmaster UK, GETMEIN! and TicketWeb.<\/p>\n

Then, earlier this month, Risk IQ identified another breach, this time at British Airways<\/a> where around 380K customers were affected. Now, this morning, Volexity has issued its report on Magecart\u2019s attack on Newegg.<\/p>\n

Newegg is a popular computer hardware and electronics e-commerce retailer.<\/p>\n

How did Magecart attack Newegg?<\/h2>\n

\"Magecart\"Let\u2019s start with a conceptual explanation and then we\u2019ll get into specifics. What Magecart is actually doing is basically Cross Site Scripting, which is when an attacker injects a malicious script into an otherwise legitimate web page. XSS is one of the most common attack vectors used by cybercriminals, it’s even represented in the OWASP 10. Magecart managed to inject its script into the page a bit differently than your standard XSS fare. It uses a Javascript injection to accomplish its illicit goals. Javascript is one of the most common file types for transmitting malware and performing other attacks. 21.4% of all malware is Javascript-based<\/a>.<\/p>\n

In the Newegg breach, Magecart was able to inject its poisoned Javascript on to a page hosted on “secure.newegg.com” that was presented during the checkout process. The malicious code appeared when moving to the billing page while checking out. The page (URL: https:\/\/secure.newegg.com\/GlobalShopping\/CheckoutStep2.aspx) collected form data and sent it back to the domain “neweggstats.com” via an HTTPS connection.<\/p>\n

There\u2019s a lot to unwrap here, everything from how the Javascript worked to how SSL\/TLS aided the attackers in exfiltrating the stolen data.<\/p>\n

Let\u2019s start with the code. This is the snippet that was responsible for the PCI theft:<\/p>\n

\"Magecart\"<\/p>\n

There are a few fascinating things about this Javscript, perhaps the biggest being that it\u2019s a vivid display of Magecart\u2019s continued growth in terms of its level of sophistication. While all of the XSS injections are conceptually similar, each one is customized to its respective target and the code keeps getting more and more refined. In the British Airways breach earlier this month the injection was 22 lines. Less than a month later, the Newegg Javascript is just 8 lines (15 if you beautify it, which is just a fancy way of saying you made the code look fancy).<\/p>\n

I\u2019m not going to go line-by-line through it, I’ll just focus on three. The first line dictates that all page elements should load before execution. The second line handles what data will be transmitted and when that transmission occurs, which is when a mouse button is released or a touch screen button is touched and released (accounting for the high volume of mobile users). The final line shows where the stolen data is being transmitted to.<\/p>\n

Here is Volexity\u2019s description of how the script worked<\/a>:<\/p>\n

    \n
  1. Create a variable named dati<\/strong> containing all information entered within a form titled checkout<\/strong>.<\/li>\n
  2. Take the data captured within the dati<\/strong> variable and create an array by serializing the form field names and values with the serializeArray()<\/a> method.<\/li>\n
  3. Takes the array of data and convert it to a JSON formatted string with the JSON.stringify()<\/a> method.<\/li>\n
  4. Submit the JSON string to the URL\u00a0https:\/\/neweggstats.com\/GlobalData\/ <\/strong>within a POST request.<\/li>\n<\/ol>\n

    The attack lasted from August 16th until September 18th, when the malicious Javascript was finally removed.<\/p>\n

    Magecart hid its data exfiltration in encrypted traffic<\/h2>\n

    The domain that was being used to collect the stolen PCI was registered with Namecheap on August 13th<\/sup>, three days before the attack is confirmed to have started. The attackers also installed an SSL certificate on the domain<\/a>. This allowed it to form HTTPS connections and obfuscate the data that was being sent.<\/p>\n

    \"Magecart\"<\/p>\n

    This is common practice for Magecart, it regularly registers target-specific domains and uses them to hide within the normal encrypted traffic for their targets\u2019 sites.<\/p>\n

    This one of those places where HTTPS interception<\/a> could have potentially helped to ferret out the data that was being transmitted to the attackers\u2019 server. There\u2019s not really a consensus on HTTPS interception (sometimes called SSL inspection), on the one hand it\u2019s proven that it does weaken encryption<\/a>. On the other, given the number of threats facing modern businesses \u2013 and the ability for those threats to hide in encrypted traffic \u2013 many feel HTTPS interception is a necessary evil. Certainly, at an Enterprise level it\u2019s advisable<\/a>.<\/p>\n

    Still, with an attacker as sophisticated as Magecart, there\u2019s only so much that can be done. So far Magecart has victimized British Airways, Ticketmaster, Feedify and ABS-CBN. And as it continues to evolve and becomes harder to track, the risk Magecart poses is only going to grow in conjunction.<\/p>\n

    As always, leave any questions or comments below\u2026<\/em><\/p>\n

    \"Hashed<\/p>\n\n","protected":false},"excerpt":{"rendered":"

    Magecart, the same group that stole 380,000 records from British Airways, strikes again… Today we\u2019re going to talk about the sophisticated group of hackers behind Magecart. But first, cybercrime has…<\/p>\n","protected":false},"author":6,"featured_media":7448,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[8598,4329],"class_list":["post-7441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-magecart","tag-xss","post-with-tags"],"views":25606,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/09\/bigstock-Milan-Italy-August-212302831.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=7441"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7441\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/7448"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=7441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=7441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=7441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}