Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

Hackers Stole Customer Credit Cards in Newegg Data Breach (techcrunch.com) 149

Newegg is clearing up its website after a month-long data breach. TechCrunch: Hackers injected 15 lines of card skimming code on the online retailer's payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection. The server even used an HTTPS certificate to blend in. The code also worked for both desktop and mobile customers -- though it's unclear if mobile customers are affected.

The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it's not known precisely how many customers completed transactions during the period.

This discussion has been archived. No new comments can be posted.

Hackers Stole Customer Credit Cards in Newegg Data Breach

Comments Filter:
  • by Anonymous Coward

    lol

  • The last step of checkout has been glitchy for over a year. Though I have been using a card on file and only had to enter my CVV code multiple times or gave up and used PayPal.

    • The reason why he got away with it, was his hacked fixed the process while he was at it.

    • You still shop at newegg?

      I use the place to lookup stuff because Amazons categorization/features in computers is garbage but I don't buy anything there, they are never ever cheaper than Amazon anymore. I don't think I've bought anything from them since 2010.

      • Mostly Samsung EVO 850/860 sales. Amazon isn't always cheaper, though. They have consistent low prices, but the only "sales" they have is sometimes silently matching other people's sale prices.

      • I can occasionally find things cheaper on NewEgg. HGST drives tend to always be cheaper on NewEgg, plus I don't have to pay sales tax through NewEgg.
  • It had one job to do.

    • I never saw the need for all the checking to make sure your keys are from a valid Certificating agency?
      Just as long as you pay you get the Cert. They are not doing what they really suppose to be doing validating your identity, and validity of the request. So if you buy a cert for newagg.com they should stop and realize that it is close to a popular newegg.com and should dig further to insure what they are doing is what they say they are and it legit.
      If you are paying hundreds of bucks then they should do

  • by nwaack ( 3482871 ) on Wednesday September 19, 2018 @10:29AM (#57342098)
    ...one gold egg. Seriously, it was there for A MONTH and nobody noticed? Might be time to switch to a different site for my computer parts.
    • by EvilSS ( 557649 )
      Newegg hasn't been the same since they got bought out a couple years ago. Shame really.
      • by Anonymous Coward on Wednesday September 19, 2018 @10:41AM (#57342184)

        Was that when they stopped being price competitive with freaking brick and mortar mom and pop stores? Or when they started cleverly listing junk from seedy third parties?

        NewEgg turned to shit long ago, and has been sliding further ever since.

        • by Hylandr ( 813770 )

          Does anyone remember when they were EggHead Software and were a brick and mortar company?

          • I remember Egghead Software, and always wondered if they were related to NewEgg -- though didn't wonder enough to check the Wikipedia page or anything. :-p

            • by hawk ( 1151 )

              There is no *corporate* relationship.

              The folks who built and sold Egghead later created NewEgg (and i guess that that's been sold, too, now)

              hawk

              • Actually, now that I actually did look at the Wikipedia articles, it seems there is no relation between the two.

                The company has no relation to the Egghead Software chain that was active from 1984 to 2001.

                The reference for this claim is a dead link, however.

          • by kackle ( 910159 )
            Yes; I bought a C compiler there - Watcom's [openwatcom.org] (now free), after I read it was used to create Doom and I wanted to learn more about C. This was in the late 1990s, and I think I paid ~ $100. This was back when you could buy the Netscape web browser in a box off the shelf at Best Buy for $40ish!
          • Does anyone remember when they were EggHead Software and were a brick and mortar company?

            IIRC the very first time my credit card number ever got stolen was when somebody broke into EggHead's systems. I believe that was the 2000 data breach which is mentioned in the Wikipedia article on the company.

            However you're incorrect in tying the two companies together. From Wikipedia's NewEgg article:

            The company has no relation to the Egghead Software chain that was active from 1984 to 2001 .

            • by Hylandr ( 813770 )

              Curious.

              I had always associated the two since one shriveled up about the time the other started.

              My bad. Thanks for pointing that out.

          • by tlhIngan ( 30335 )

            Does anyone remember when they were EggHead Software and were a brick and mortar company?

            No, there is no relation between NewEgg (2000-present) and Egghead Software (1984-2001).

            Two separate companies and fromw hat I can tell, Egghead died out in the late 80s or mid-90s or so. Lots of memories of visiting them though to get new stuff.

            Stuff in baggies was always fun!

          • Oh yeah. It's where I purchased 'Internet In a Box' kit for my 386 pre-pentium pc.
      • Between selling random non-electronics related junk and 3rd party sellers; it has become just another Amazon wannabe.

      • by jwhyche ( 6192 ) on Wednesday September 19, 2018 @12:07PM (#57342876) Homepage

        Now they are trying to be like Amazon and sell anything and every thing. Newegg used to be my 'go to' place for computer parts, but now I do more shopping around. I liked it better when newegg was computer part store. But the recommendation AI was a source of entertainment when they changed. "Hey we see you just bought 4, 3TB HD for a nas, wouldn't you like to buy this chain saw to go with it?"

        Back on topic. This kind of explains the porn ransomware email I got a few weeks back. I changed my phone number to my new number on newegg and less than 24 hours later I got a scam email saying they had video's of me watching porn on my phone. And unless i coughed up a bucket of shekels they were going to sent it to everyone on my contact list. Newegg was the only place that had my email address and new phone number. The new phone number was listed in the email.

        • by ncc74656 ( 45571 ) *

          This kind of explains the porn ransomware email I got a few weeks back. I changed my phone number to my new number on newegg and less than 24 hours later I got a scam email saying they had video's of me watching porn on my phone. And unless i coughed up a bucket of shekels they were going to sent it to everyone on my contact list.

          I received one of those, and another one that said they had records of me browsing some pr0n site...never mind that I don't visit websites for pr0n. At least it was a solid indi

    • Many years ago (1998ish mabye?) I found out about Newegg and ordered a couple of sticks of RAM from them. They shipped me double what I ordered, and charged me for it. It was a nightmare to get my money refunded even AFTER I shipped back two sticks on my dime. It was such a bad experience that I swore I would never order from them again.

      Fast forward a few years and I decided to give them another chance, and wow had they changed! They were my gold-standard for internet shopping experience. Fast, often f

    • ...one gold egg. Seriously, it was there for A MONTH and nobody noticed? Might be time to switch to a different site for my computer parts.

      Time to apply for a replacement card with new CCD or whatever.

  • The usual advice is to not let the merchant store your credit card credentials — so they would not be stolen when the company's DB is.

    This time, however, the people keeping their cards "on file" with Newegg were safe, whereas those, who entered the credentials anew, weren't...

  • So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.

    Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?

    • So the bad guys got a 3rd party certificate? Last time I got one (Codomo I think) for my mail server they actually verified my identity by phone in order to actually issue the certificate for me.

      Is that not routine now? How could the bad guys not be traced if they want so far as to buy a cert?

      They got a certificate for a "similar" domain.

      The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name -- likely to avoid detection.

      Could have used Let's Encrypt.

      • ...Could have used Let's Encrypt....

        They could have used any of the cert providers that use the "do you own the domain" email verification. That includes most of the cert vendors for the low-security certs (including Comodo when I had used them).

    • That would be expensive. Why pay someone to make a phone call where you can have a script that will generate the Cert after the payment get processed. Nearly all profit.
      Besides the customer isn't the one getting screwed by getting a Cert. It is just someone else who isn't a customer who will get affected.

  • by Lije Baley ( 88936 ) on Wednesday September 19, 2018 @10:58AM (#57342326)

    I sleep better knowing that HTTPS has made us all safe from teh hax0rs.

    • HTTPS did its job. There was no interception of data between the server and the client. Can't do shit if the server is compromised.

      • Re: (Score:2, Insightful)

        by Lije Baley ( 88936 )

        Yes, but you are thinking of the classic job of https, not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google.

        • I mean, it kinda did serve that purpose as well. The lock in the page did correctly state that:
          1) The page you've been served is indeed from newegg.com, and
          2) No data transmitted to or from you will be visible to any man in the middle.

          No amount of transportation security can stop a compromised server from serving incorrect content or siphoning off data itself.

          • Car analogy time: A friend of mine decides to drive into a bad neighborhood to go to a certain store, so I give him an HTTPS charm to hang from his rear view mirror. I promise that it will protect him while he's driving to the store. So he drives safely there, parks nearby, and gets mugged going into the store. The charm did its job of preventing the (less likely) loss of his wallet while driving, but nothing to prevent the (far more likely) theft once he has arrived.

            • Except in your analogy, you ignore that the point of https is to prevent _man in the middle attacks_, like say, you connecting to wifi at a starbucks with a compromised router (or think you're connecting to starbucks wifi, but you're really connected to Jim Bob's router). It also hides your traffic from your ISP, which prevents them from snooping your traffic to inject ads (real issue with some ISPs) or sell your clickstream data (they can only sell what ips you connected to).

              • And now you are back to talking about HTTPS "job 1" which I am not arguing against.
                The point of the analogy was to illustrate these ideas:
                a) HTTPS does "job 1" just fine, though the actual threat for most people in that area is low (at least in a relative sense),
                and b) HTTPS does not play a role in the area that is a larger actual threat -- on the server side.
                The ultimate point being that the push to require HTTPS for everything is a "priority inversion" and gives non-technical internet uses a false sense o

        • by Anonymous Coward

          Yes, but you are thinking of the classic job of https, not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google.

          Classic absurd argument that if something doesn't stop everything, including things it has no role in, it shouldn't be used. There's no reason NOT to use https but it's not some magic bullet that keeps everything, everywhere safe.

        • not the new and bogus "https means it's legit, everything should be https" line of thinking, re Google

          That's not even the thought process from Google. Here is the proposal from way back when. [chromium.org] Relevant section:

          We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin. Roughly speaking, there are three basic transport layer security states for web origins: Secure (valid HTTPS, other origins like (*, localhost, *)); Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and Non-secure (broken HTTPS, HTTP).

          Emphasis mine. And if you are wondering about the wording there, the exact definition can be found on the W3 site here. [w3.org] Which says if you trust the site then you can be assured that the information you transmit to the site has done so securely, that you can trust that they received the information that you sent them.

          At no point can any standards body or web vendor indicate how compromised or fully f

          • You and I understand these distinctions, but the effect for the non-technical user, who the browser makers have labored to shelter and make as ignorant as possible (i.e. hiding URLs, protocols, etc.), is HTTP = bad, HTTPS = good. No website will want to be "bad", so they will all move to HTTPS, which is really not "just a good thing anyway" for the internet or the environment, if you think about the immense volume of traffic to which it would add the inefficiencies of (in some cases another layer of) encry

    • I sleep better knowing that HTTPS has made us all safe from teh hax0rs.

      If that is what you think the purpose of https is, then you really should not be sleeping better, you should be learning more about https.

  • "Paying electronically is safer, Rick, you shouldn't use cash for anything, you'll just get mugged!", they said. "It's all secured with encrytion, nothing to worry about!", they said

    What's next, you going to tell me the Equifax breach was 'fake news' and never happened?

    "Oh, well, I don't buy things from Newegg so I feel perfectly safe!", they say to you

    Seriously, folks, when is enough going to be enough for you all? It's objectively clear that electronic payment systems, regardless of whose they are, are not anything even close to secure. Leave the plastic at home (or at least leave it in your wallet), pay cash for things in person, and look for some way to at least limit your exposure to the overwhelming risk of paying electronically for anything, anywhere, ever. Do i

    • Nonsense. Cutting yourself off from the civilized world is not a solution. The time/cost efficient solution is use something like credit karma and a credit card with fraud protection. Check your bill every month or two and you are fine. Sure your data may get stolen every few years, but the credit card company will eat the cost and you'll be fine.
      • He thinks I've 'cut myself off from the civilized world'
        You're hilarious; what are you smoking to actually think that? I've been on cash for TWO YEARS and it hasn't 'cut me off' from ANYTHING. Get real and stop trading your actual security for mere 'convenience' and maybe your identity won't get stolen and bank accounts drained.
    • And we can take our horse-and-buggy down to the open air market to buy all of our locally produced goods.

      • Wrong! I drive my Toyota Tacoma down to the open-air market to buy locally-produced goods -- because I support the LOCAL economy, being the good citizen and neighbor that I am. Why aren't you?
        He thinks you can't POSSIBLY live a 'modern' life without using plastic for everything, LOL!
        Think again.
        • He thinks he can buy everything locally therefore only ever needing cash.

          I can use italics to strawman people's arguments, too.

          Though I am not sure you don't believe this. Real question: how do you buy something that isn't sold at a local brick and mortar store?

      • by jwhyche ( 6192 )

        You have to forgive Rick. I'm not sure he understands how the modern economy works. Even Farmer Brown down at my local farmers market takes plastic. Just slides it through his iphone and we are good. I think he can take samsung and apple pay too.

    • Good for you, use cash. I've considered returning to cash only a few times. However, I do get protections from my CC company that I've used before. Plus that 4-5% cash back. & damn I got 80000 frequent flier miles! I used 70000 miles on this year for a excellent vacation for my wife & I.

      So go ahead, I actually admire those that are able to only shop local on a cash only basis. It's just not for me. I pay for my credit protection service (not fucking LifeLock), & will pay attention. Rent c

    • Can't. Where I live, that'd limit my tech purchases to Bestbuy and Walmart.
  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Wednesday September 19, 2018 @11:05AM (#57342366) Journal
    The real breach is in that the attackers were somehow able to change the web page content to achieve this end. Do they know how the attackers accomplished this? If not, what's to stop it from reoccurring, even if not by the same people, when someone else figures it out?
    • by antdude ( 79039 )

      I noticed their careers page had a lot of web hirings the last 1.5 years. I wonder if this was related.

  • by bosef1 ( 208943 ) on Wednesday September 19, 2018 @11:37AM (#57342652)

    Here are the links to the original RiskIQ and Volexity reports on the breach.

    RiskIQ: https://www.riskiq.com/blog/la... [riskiq.com]

    Volexity: https://www.volexity.com/blog/... [volexity.com]

    They're conclusion is basically to get a new credit card number if you transacted with Newegg from 13 Aug through 18 Sep 2018.

    • Has newegg said how that code got on their site?
  • Having just bought some things, I'm concerned, of course. Not to mention, newegg isn't remotely as good as they once were. Hell, I bought something on eBay and he shipped it two days faster and will get to me a week earlier than a similar order from newegg.

    What are some good alternatives, outside of eBay and Amazon?

  • What if I paid using masterpass?

  • And when was Newegg going to inform their customers about this? Strange that we had to find out about this from a 3rd party news source. Does this only impact Newegg US, or other countries where Newegg does business affected too?
    • NewEgg informed me via email before the story broke.

      It was the first time I'd purchased through NewEgg in a long time.

      An hour later, the information that may or may not have been stolen (I don't show net traffic to that domain) was invalid, so it's minimal impact to me.

  • I stopped using NewEgg over 9mo ago. So at least I'm not affected.

    As a Connecticut resident who got screwed over by NewEgg releasing false data to the State of Connecticut, when they were also NOT legally obligated to I stopped using them. Ex our tax friendly state in it's endless quest to absolutely ruin any resident of the state and tax them to death decided to purse gathering Sales Tax / "Use Tax" data from NewEgg back around January 2018. They had done this to other sites and online merchants on their q

  • Big companies and small companies alike are addicted to WEBSTATS. It's hard to find a page out there that doesn't have 14 bits of Javascript code dedicated to giving better, targeted advertising and "customer service experience", so people would hardly be suspicious of code that sends information to "neweggstats.com".

    There are HSTS headers that can be put on HTTPS pages to make sure the browser doesn't fall for this sort of thing, but using them tells the browser not to talk to those precious stat servers..

    • by txsable ( 169665 )

      One of us is misunderstanding what HSTS is for. From my reading, it appears that this helps mitigate man-in-the-middle protocol downgrade attacks and cookie hijacking, but it would not do a thing to prevent a browser from accessing a third-party or spoofed site with a valid certificate. Am I misunderstanding this?

news: gotcha

Working...