Um grupo hackers conhecidos como Magecart roubaram dados dos cartões de crédito dos clientes da loja eletrónica Newegg.
O grupo Magecart está de volta, desta vez os hackers roubaram os dados dos cartões de crédito dos clientes da loja eletrónica Newegg.
A Magecart está ativa desde pelo menos 2015, mas recentemente o grupo invadiu os websites da Ticketmaster, da British Airways e da Feedify para injetar um skimmer usado para extrair os dados do cartão de pagamento dos utilizadores.
As empresas de segurança Volexity e RiskIQ conduziram uma investigação conjunta sobre o hack da Newegg.
Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.” reported Volexity.
“This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com.”
O grupo Magecart conseguiu comprometer o website da Newegg e roubar os detalhes do cartão de crédito de todos os clientes que fizeram compras entre 14 de agosto e 18 de setembro de 2018.
“On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com. Registered through Namecheap, the malicious domain initially pointed to a standard parking host.” reads the analysis published by RiskIQ.
“However, the actors changed it to 217.23.4.11 a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page”
Ativo desde pelo menos 2015, o grupo de hackers Magecart registoou um domínio pra intuito malicioso chamado neweggstats (dot) com (similar ao legítimo newegg.com do Newegg) em 13 de agosto e adquiriu um certificado SSL emitido pela Comodo para o domínio.
A técnica é exatamente aquela utilizada no ataque contra o website da British Airways.
Em 14 de agosto, o grupo injetou o código skimmer na página de processamento de pagamentos do website oficial, então quando os clientes fizeram o pagamento, os invasores puderam aceder aos seus dados de pagamento e enviá-los para o domínio neweggstats (dot) com.
“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.” continues RiskIQ.
“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”.
Especialistas de segurança disseram que tanto utilizadores de apps móveis como desktop foram afetados pelo hack.
Os clientes que fizeram compras no website da Newegg entre 14 de agosto e 18 de setembro de 2018 deverão bloquear imediatamente o cartão de credito.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.