Cyber Incident Victim: Newegg
Date:
Aug 2018
Location:
United States of America
Summary
The Newegg online retail platform was compromised by the Magecart cyberthreat group through a payment card skimming operation. Attackers registered a deceptive domain resembling the legitimate site, deployed a malicious server to harvest stolen data, and injected a condensed skimming script directly into the payment processing page, capturing customer information during checkout after address validation. Security researchers identified the breach, leading to swift removal of the malicious code. Given the retailer's high monthly traffic, the operation potentially exposed payment details of millions of customers. This incident mirrored tactics used in prior Magecart attacks, including the British Airways breach, demonstrating the group's targeted approach against large-scale e-commerce platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-August 2018, the Magecart cybercrime group executed a payment card skimming operation against Newegg, a major California-based online electronics retailer. The attackers registered the domain neweggstats.com on August 13, deliberately mimicking Newegg's legitimate newegg.com domain to appear authentic. Magecart obtained a security certificate from Comodo for this fraudulent domain, enhancing its deceptive appearance. The following day, the group directed this domain to their command-and-control server at IP address 217.23.4.11, which was configured to collect stolen payment data. Magecart injected malicious skimming code into Newegg's payment processing page, specifically targeting customers during the financial transaction phase after they had added items to their cart and validated their shipping address. The skimmer operated only when users reached the payment page, ensuring active transactions were compromised. The malicious script consisted of just 15 condensed lines of code, sharing core components with code used in Magecart's contemporaneous breach of British Airways but optimized for stealth. This placement meant attackers could harvest credit card details, names, and other sensitive information as customers entered payment data during checkout.
Security researchers from RiskIQ and Volexity discovered the skimming operation and alerted Newegg on September 18, 2018. The retailer removed the malicious script within hours of notification, ending the 36-day compromise period. With Newegg receiving over 50 million monthly visitors according to Similarweb data, the breach potentially exposed payment information from millions of customers. The incident represented an escalation in Magecart's tactics, demonstrating their shift toward high-profile targets through carefully planned domain spoofing and seamless website integration. Forensic analysis confirmed this attack was conducted by the same Magecart subgroup responsible for the British Airways breach, characterized by their focus on major brands and sophisticated skimmer deployment. No customer remediation actions by Newegg were detailed in available reports. The breach highlighted Magecart's operational efficiency, from domain registration to server configuration and skimmer implementation within a single day, coupled with their ability to maintain undetected access for over a month on a heavily trafficked e-commerce platform.