NewEgg cracked in breach, hosted card-stealing code within its own checkout

Like British Airways breach, attack blended with site code, sent data to lookalike domain.

Article intro image

Enlarge / Splat. (credit: John Liu)

The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

Details of the breach were reported by the security research firms RiskIQ (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but it appears to have been actively siphoning off payment data since August 16, according to reports from the security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are virtually identical to the attack on British Airways—while the Ticketmaster breach was caused by code injected from a third-party service provider, both the BA breach and the NewEgg attack were the result of a compromise of JavaScript libraries hosted by the companies themselves.

The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain's TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers' infrastructure.

Read 4 remaining paragraphs | Comments

Reddit breach exposes non-critical user data

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method.

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method.

A post by Reddit CTO Chris Slowe (as KeyserSosa, naturally) explained that they discovered the hack on June 19, and estimated it to have taken place between June 14 and 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” he wrote, gaining “read-only access to some systems that contained backup data, source code and other logs.”

Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to be used instead of an authenticator app or token. SMS has some major inherent security flaws, and this method was declared unacceptable by NIST back in 2016. But it is far from eliminated and many services still use it as a main or backup 2FA method.

Reddit itself, it is worth noting, only provides 2FA via token. But at least one provider of theirs didn’t, it turns out, and the attackers took advantage of that. (Slowe said they know no phones were hacked, which suggests the SMS authentication codes were intercepted otherwise, possibly via spoofing a phone or scamming the provider.)

Although a complete inventory of what was accessed by the hackers isn’t made available, Slowe said that there were two main areas of concern as far as users were concerned:

  • A complete copy of Reddit data from 2007, comprising the first two years of the site’s operations. This includes usernames, salted/hashed passwords, emails, public posts, and private messages.
  • June’s email digests, with usernames and associated emails.

Reddit is a different and much, much bigger place today than it was in 2007; anyone who remembers the big migration from Digg in those days will also remember how small and limited it was.

Still, these data together could still be useful to malicious actors looking to scam people on this list — if I were them, I’d be sending fake email digests asking them to log in, or building a list of username-email pairs and matching those to other sites. And of course you might want to, as Slowe put it, “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”

If you’re one of the people affected, you should be receiving an email or PM that should inform you of your risk — for example, if your password hasn’t been changed since 2007, which would be its own security risk. I joined in July 2007 and haven’t received either, as a data point.

Slowe also noted that the company has alerted the appropriate authorities as required and has improved security since the event.