Hackers Stole Customer Credit Cards in Newegg Data Breach (techcrunch.com) 149
Newegg is clearing up its website after a month-long data breach. TechCrunch: Hackers injected 15 lines of card skimming code on the online retailer's payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection. The server even used an HTTPS certificate to blend in. The code also worked for both desktop and mobile customers -- though it's unclear if mobile customers are affected.
The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.
The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.
guess they have egg on their faces (Score:2, Funny)
lol
Only a month? (Score:2)
The last step of checkout has been glitchy for over a year. Though I have been using a card on file and only had to enter my CVV code multiple times or gave up and used PayPal.
Re: (Score:2)
The reason why he got away with it, was his hacked fixed the process while he was at it.
Re: (Score:2)
You still shop at newegg?
I use the place to lookup stuff because Amazons categorization/features in computers is garbage but I don't buy anything there, they are never ever cheaper than Amazon anymore. I don't think I've bought anything from them since 2010.
Re: (Score:2)
Mostly Samsung EVO 850/860 sales. Amazon isn't always cheaper, though. They have consistent low prices, but the only "sales" they have is sometimes silently matching other people's sale prices.
Re: (Score:2)
Re: (Score:2)
It's sounding like NoScript, uMatrix, uBlock Origin with third-parties disabled, etc. may have prevented this attack for users. From what I've gathered, the attack revolved around inserting malicious code into a first-party script so that the page would transmit user information to servers under the attacker's control as the user entered it. Since the malicious code was running client-side and was phoning home to a third-party server, I believe those extensions should have been capable of preventing the mal
Re: (Score:2)
Nothing worse than broken validation that doesn't expect you to copy/paste, insert in the middle of existing text, or hit backspace (or tab).
PKI Failing Again (Score:2)
It had one job to do.
Re: (Score:2)
I never saw the need for all the checking to make sure your keys are from a valid Certificating agency?
Just as long as you pay you get the Cert. They are not doing what they really suppose to be doing validating your identity, and validity of the request. So if you buy a cert for newagg.com they should stop and realize that it is close to a popular newegg.com and should dig further to insure what they are doing is what they say they are and it legit.
If you are paying hundreds of bucks then they should do
Re: (Score:2)
Came here to see if Paypal payments would be affected, I ordered stuff from them just a couple weeks ago using Paypal as the payment method (to work around Newegg's billing address restrictions).
Re: (Score:2)
I'm no authority, but as far as I can tell PayPal should be unaffected. It sounds like data was scooped off the front-end of the web site, i.e., from filling out the forms. But PayPal does not fill out forms; it sends data directly. So it should not be affected.
I am guessing also that my card number was not stolen since I used a saved number, rather than entering it in. However, Newegg always has you retype the CVV code, so that was definitely stolen in my case.
Re: (Score:2)
I'm no authority, but as far as I can tell PayPal should be unaffected. It sounds like data was scooped off the front-end of the web site, i.e., from filling out the forms. But PayPal does not fill out forms; it sends data directly. So it should not be affected.
I am guessing also that my card number was not stolen since I used a saved number, rather than entering it in. However, Newegg always has you retype the CVV code, so that was definitely stolen in my case.
I always use paypal when I can- partially for this reason. I hate when sites won't take paypal.
Re: (Score:2)
I'd actually suggest that the better way to handle payments is to reduce the value of the information transferred, namely, have the buyer's device generate a single-use token that can only be redeemed by the seller and can only be redeemed for the amount of the transaction(s). No credit card number that can be reused dozens of times. No PIN or security code. No home address. No name. Just a token that's useless once the transaction completes.
Apple Pay and other systems already do this transparently whether
My current rating for NewEgg is... (Score:3)
Re: (Score:3)
Re:My current rating for NewEgg is... (Score:4, Informative)
Was that when they stopped being price competitive with freaking brick and mortar mom and pop stores? Or when they started cleverly listing junk from seedy third parties?
NewEgg turned to shit long ago, and has been sliding further ever since.
Re: (Score:1)
Does anyone remember when they were EggHead Software and were a brick and mortar company?
Re: (Score:2)
I remember Egghead Software, and always wondered if they were related to NewEgg -- though didn't wonder enough to check the Wikipedia page or anything. :-p
Re: (Score:2)
There is no *corporate* relationship.
The folks who built and sold Egghead later created NewEgg (and i guess that that's been sold, too, now)
hawk
Re: (Score:2)
Actually, now that I actually did look at the Wikipedia articles, it seems there is no relation between the two.
The company has no relation to the Egghead Software chain that was active from 1984 to 2001.
The reference for this claim is a dead link, however.
Re: (Score:2)
Re: (Score:2)
I bought my first SoundBlaster card there. :)
So much a different time back then.
Re: (Score:2)
Does anyone remember when they were EggHead Software and were a brick and mortar company?
IIRC the very first time my credit card number ever got stolen was when somebody broke into EggHead's systems. I believe that was the 2000 data breach which is mentioned in the Wikipedia article on the company.
However you're incorrect in tying the two companies together. From Wikipedia's NewEgg article:
.
The company has no relation to the Egghead Software chain that was active from 1984 to 2001
Re: (Score:2)
Curious.
I had always associated the two since one shriveled up about the time the other started.
My bad. Thanks for pointing that out.
Re: (Score:2)
No, there is no relation between NewEgg (2000-present) and Egghead Software (1984-2001).
Two separate companies and fromw hat I can tell, Egghead died out in the late 80s or mid-90s or so. Lots of memories of visiting them though to get new stuff.
Stuff in baggies was always fun!
Re: (Score:1)
Re: (Score:2)
Between selling random non-electronics related junk and 3rd party sellers; it has become just another Amazon wannabe.
Re:My current rating for NewEgg is... (Score:4)
Now they are trying to be like Amazon and sell anything and every thing. Newegg used to be my 'go to' place for computer parts, but now I do more shopping around. I liked it better when newegg was computer part store. But the recommendation AI was a source of entertainment when they changed. "Hey we see you just bought 4, 3TB HD for a nas, wouldn't you like to buy this chain saw to go with it?"
Back on topic. This kind of explains the porn ransomware email I got a few weeks back. I changed my phone number to my new number on newegg and less than 24 hours later I got a scam email saying they had video's of me watching porn on my phone. And unless i coughed up a bucket of shekels they were going to sent it to everyone on my contact list. Newegg was the only place that had my email address and new phone number. The new phone number was listed in the email.
Re: (Score:2)
I received one of those, and another one that said they had records of me browsing some pr0n site...never mind that I don't visit websites for pr0n. At least it was a solid indi
Re: (Score:3)
They said it was good porn, that "i have really good tastes." I would like to know what I was watching too. I let everyone on my contact list let me know when the black mail video shows up. So far it has been 2 weeks. Still waiting.
Re: (Score:2)
My guess is Amazon inserted the skimming code.
Intersting theory...
I would mot be much surprised to find that true.
I remember Newegg... *sigh* (Score:2)
Many years ago (1998ish mabye?) I found out about Newegg and ordered a couple of sticks of RAM from them. They shipped me double what I ordered, and charged me for it. It was a nightmare to get my money refunded even AFTER I shipped back two sticks on my dime. It was such a bad experience that I swore I would never order from them again.
Fast forward a few years and I decided to give them another chance, and wow had they changed! They were my gold-standard for internet shopping experience. Fast, often f
Re: (Score:2)
...one gold egg. Seriously, it was there for A MONTH and nobody noticed? Might be time to switch to a different site for my computer parts.
Time to apply for a replacement card with new CCD or whatever.
Re: (Score:2)
I really don't get the point of your post. New Egg sells computer and computer components. In today's economy a lot of it would be hard to find at a store, or you will need to buy it from a bunch of sources. Sure most of New Egg you can probably get at Amazon.
Do you just hate everything. As you type AC Posts on a hand me down Pentium?
Using stored credentials would've been safer... (Score:2)
The usual advice is to not let the merchant store your credit card credentials — so they would not be stolen when the company's DB is.
This time, however, the people keeping their cards "on file" with Newegg were safe, whereas those, who entered the credentials anew, weren't...
Certificate? (Score:2)
So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.
Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?
Re: (Score:2)
So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.
Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?
They got a certificate for a "similar" domain.
The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection.
Could have used Let's Encrypt.
Re: (Score:2)
...Could have used Let's Encrypt....
They could have used any of the cert providers that use the "do you own the domain" email verification. That includes most of the cert vendors for the low-security certs (including Comodo when I had used them).
Re: (Score:2)
That would be expensive. Why pay someone to make a phone call where you can have a script that will generate the Cert after the payment get processed. Nearly all profit.
Besides the customer isn't the one getting screwed by getting a Cert. It is just someone else who isn't a customer who will get affected.
Re: (Score:2)
This is what I read:
New Egg they messed up on one of your order. You were a jerk to them, so they had stopped feeding your trolling.
The phrase the Customer is Always Right, is just that a Phrase, not a rule. It isn't an excuse to be abusive to a company or an employee.
Re:bad company, expected outcome. (Score:4)
I've had newegg mess up a few of my orders. Every time they practically tripped all over themselves to make it right. I can complain about a few things from newegg, but my experience with their customer service isn't one of them.
Re: (Score:2)
Why would it be considered Libel?
I am not saying He is that or did that, I just interpreted his comment to have that meaning.
I would be Libel if I would to say Don't sell stuff to this guy, because he is a bad customer.
Re: (Score:2)
I havn't use New Egg in over a decade.
But the Grandmother getting the kids the cheap ripoff is almost a trope.
But hey I am going to keep my Genuine Cook-e-man cards, they are going to be worth so much in the future.
Thank you HTTPS zealots (Score:3, Funny)
I sleep better knowing that HTTPS has made us all safe from teh hax0rs.
Re: (Score:3)
HTTPS did its job. There was no interception of data between the server and the client. Can't do shit if the server is compromised.
Re: (Score:2, Insightful)
Yes, but you are thinking of the classic job of https, not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google.
Re: (Score:2)
I mean, it kinda did serve that purpose as well. The lock in the page did correctly state that:
1) The page you've been served is indeed from newegg.com, and
2) No data transmitted to or from you will be visible to any man in the middle.
No amount of transportation security can stop a compromised server from serving incorrect content or siphoning off data itself.
Re: (Score:2)
Car analogy time: A friend of mine decides to drive into a bad neighborhood to go to a certain store, so I give him an HTTPS charm to hang from his rear view mirror. I promise that it will protect him while he's driving to the store. So he drives safely there, parks nearby, and gets mugged going into the store. The charm did its job of preventing the (less likely) loss of his wallet while driving, but nothing to prevent the (far more likely) theft once he has arrived.
Re: (Score:2)
Except in your analogy, you ignore that the point of https is to prevent _man in the middle attacks_, like say, you connecting to wifi at a starbucks with a compromised router (or think you're connecting to starbucks wifi, but you're really connected to Jim Bob's router). It also hides your traffic from your ISP, which prevents them from snooping your traffic to inject ads (real issue with some ISPs) or sell your clickstream data (they can only sell what ips you connected to).
Re: (Score:2)
And now you are back to talking about HTTPS "job 1" which I am not arguing against.
The point of the analogy was to illustrate these ideas:
a) HTTPS does "job 1" just fine, though the actual threat for most people in that area is low (at least in a relative sense),
and b) HTTPS does not play a role in the area that is a larger actual threat -- on the server side.
The ultimate point being that the push to require HTTPS for everything is a "priority inversion" and gives non-technical internet uses a false sense o
Re: (Score:2)
While I kind of like the ring of being called "Jesus moron", you really should read threads carefully and from the top down. If you had you could have saved yourself a bunch of typing and excitement.
Re: (Score:1)
Yes, but you are thinking of the classic job of https, not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google.
Classic absurd argument that if something doesn't stop everything, including things it has no role in, it shouldn't be used. There's no reason NOT to use https but it's not some magic bullet that keeps everything, everywhere safe.
Re: (Score:2)
Classic reading comprehension failure. I am making no such argument.
Re: (Score:2)
not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google
That's not even the thought process from Google. Here is the proposal from way back when. [chromium.org] Relevant section:
We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin. Roughly speaking, there are three basic transport layer security states for web origins: Secure (valid HTTPS, other origins like (*, localhost, *)); Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and Non-secure (broken HTTPS, HTTP).
Emphasis mine. And if you are wondering about the wording there, the exact definition can be found on the W3 site here. [w3.org] Which says if you trust the site then you can be assured that the information you transmit to the site has done so securely, that you can trust that they received the information that you sent them.
At no point can any standards body or web vendor indicate how compromised or fully f
Re: (Score:2)
You and I understand these distinctions, but the effect for the non-technical user, who the browser makers have labored to shelter and make as ignorant as possible (i.e. hiding URLs, protocols, etc.), is HTTP = bad, HTTPS = good. No website will want to be "bad", so they will all move to HTTPS, which is really not "just a good thing anyway" for the internet or the environment, if you think about the immense volume of traffic to which it would add the inefficiencies of (in some cases another layer of) encry
Re: (Score:2)
What does HTTPS mean then? That it is potentially legitimate? So I guess a half-full glass really is better than a half-empty one...
Re: (Score:2)
HTTPS just means that the server you've connected to is probably the real server associated with that domain name, and that an actor without the private key of the server you're connecting to cannot read what's being sent either way, nor tamper with it.
Re: (Score:3)
I sleep better knowing that HTTPS has made us all safe from teh hax0rs.
If that is what you think the purpose of https is, then you really should not be sleeping better, you should be learning more about https.
I'm laughing so hard my sides ache (Score:2)
"Paying electronically is safer, Rick, you shouldn't use cash for anything, you'll just get mugged!", they said. "It's all secured with encrytion, nothing to worry about!", they said
What's next, you going to tell me the Equifax breach was 'fake news' and never happened?
"Oh, well, I don't buy things from Newegg so I feel perfectly safe!", they say to you
Seriously, folks, when is enough going to be enough for you all? It's objectively clear that electronic payment systems, regardless of whose they are, are not anything even close to secure. Leave the plastic at home (or at least leave it in your wallet), pay cash for things in person, and look for some way to at least limit your exposure to the overwhelming risk of paying electronically for anything, anywhere, ever. Do i
Re: (Score:2)
Re: (Score:2)
You're hilarious; what are you smoking to actually think that? I've been on cash for TWO YEARS and it hasn't 'cut me off' from ANYTHING. Get real and stop trading your actual security for mere 'convenience' and maybe your identity won't get stolen and bank accounts drained.
Re: (Score:2)
Re: (Score:2)
No, he is asking how you pay to get online in the first place. I suppose you could do prepaid phone cards from a store, but those get expensive if you are using them just for regular internet access.
Re: (Score:2)
Re: (Score:2)
Ok, nice attempt to change the subject, you didn't answer the question.
Re: (Score:2)
Re: (Score:2)
And we can take our horse-and-buggy down to the open air market to buy all of our locally produced goods.
Re: (Score:1)
He thinks you can't POSSIBLY live a 'modern' life without using plastic for everything, LOL!
Think again.
Re: (Score:2)
He thinks he can buy everything locally therefore only ever needing cash.
I can use italics to strawman people's arguments, too.
Though I am not sure you don't believe this. Real question: how do you buy something that isn't sold at a local brick and mortar store?
Re: (Score:2)
Re: (Score:3)
You have to forgive Rick. I'm not sure he understands how the modern economy works. Even Farmer Brown down at my local farmers market takes plastic. Just slides it through his iphone and we are good. I think he can take samsung and apple pay too.
Re: (Score:2)
Good for you, use cash. I've considered returning to cash only a few times. However, I do get protections from my CC company that I've used before. Plus that 4-5% cash back. & damn I got 80000 frequent flier miles! I used 70000 miles on this year for a excellent vacation for my wife & I.
So go ahead, I actually admire those that are able to only shop local on a cash only basis. It's just not for me. I pay for my credit protection service (not fucking LifeLock), & will pay attention. Rent c
Re: (Score:2)
Re: (Score:2)
What's to stop it from happening again? (Score:5, Interesting)
Re: (Score:2)
I noticed their careers page had a lot of web hirings the last 1.5 years. I wonder if this was related.
Re: (Score:2)
Re: (Score:2)
Links to RiskIQ and Volexity reports (Score:4, Informative)
Here are the links to the original RiskIQ and Volexity reports on the breach.
RiskIQ: https://www.riskiq.com/blog/la... [riskiq.com]
Volexity: https://www.volexity.com/blog/... [volexity.com]
They're conclusion is basically to get a new credit card number if you transacted with Newegg from 13 Aug through 18 Sep 2018.
Re: (Score:2)
Re: (Score:2)
https://www.peerlyst.com/posts/inside-the-magecart-breach-of-british-airways-how-22-lines-of-code-claimed-380-000-victims-barrett-louie
Newegg alternatives? (Score:2)
Having just bought some things, I'm concerned, of course. Not to mention, newegg isn't remotely as good as they once were. Hell, I bought something on eBay and he shipped it two days faster and will get to me a week earlier than a similar order from newegg.
What are some good alternatives, outside of eBay and Amazon?
Re: (Score:2)
I have yet to regret a B&H purchase, have been using them for video and camera stuff since the 1990s. Just got a used Tamron lens from them, exactly as described (their 8+). Am even thinking of buying some SD cards from them because I just don't trust Amazon for that sort of thing any more. Only oddity is that it's run by Hasidic Jews, so they shut down except for web browsing during the Sabbath, no problem if you're patient.
Walmart.com has great control over their supply chain, they're really strict
Masterpass (Score:2)
What if I paid using masterpass?
Newegg press release? (Score:2)
Re: (Score:2)
NewEgg informed me via email before the story broke.
It was the first time I'd purchased through NewEgg in a long time.
An hour later, the information that may or may not have been stolen (I don't show net traffic to that domain) was invalid, so it's minimal impact to me.
Surprise Plot Twist (Score:1)
I stopped using NewEgg over 9mo ago. So at least I'm not affected.
As a Connecticut resident who got screwed over by NewEgg releasing false data to the State of Connecticut, when they were also NOT legally obligated to I stopped using them. Ex our tax friendly state in it's endless quest to absolutely ruin any resident of the state and tax them to death decided to purse gathering Sales Tax / "Use Tax" data from NewEgg back around January 2018. They had done this to other sites and online merchants on their q
Taking advantage of all the CRAP (Score:2)
Big companies and small companies alike are addicted to WEBSTATS. It's hard to find a page out there that doesn't have 14 bits of Javascript code dedicated to giving better, targeted advertising and "customer service experience", so people would hardly be suspicious of code that sends information to "neweggstats.com".
There are HSTS headers that can be put on HTTPS pages to make sure the browser doesn't fall for this sort of thing, but using them tells the browser not to talk to those precious stat servers..
Re: (Score:2)
One of us is misunderstanding what HSTS is for. From my reading, it appears that this helps mitigate man-in-the-middle protocol downgrade attacks and cookie hijacking, but it would not do a thing to prevent a browser from accessing a third-party or spoofed site with a valid certificate. Am I misunderstanding this?