New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

With the Magecart attackers compromising web shops left and right, online shopping is becoming a risky proposition. After Ticketmaster, British Airways and Feedify, two new Magecart victims have been identified: the broadcasting giant ABS-CBN and online retailer Newegg.

Magecart victims

Compromised shops

Security researcher Willem de Groot flagged the ABS-CBN compromise a few days ago and he believes the attackers added the payment card skimming script on or before August 16th.

RiskIQ and Volexity researchers shared details about the Newegg compromise on Wednesday, but it seems that the skimming also started around that time (on August 16th).

“The JavaScript leveraged in this attack is very similar to that observed from the British Airways compromise. The code in this case is customized to work with the Newegg website and send data to a different domain the attackers created in an attempt to blend in with the website,” Volexity researchers noted.

“While the functionality of the script is nearly identical, it is worth noting that the attackers have managed to minimize the size of the script even more, from 22 lines of code in the British Airways attack to a mere 8 lines for Newegg, 15 if the code is beautified.”

According to RiskIQ researcher Yonathan Klijnsma, the breach of Newegg shows the true extent of Magecart operators’ reach.

“These attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target,” he noted.

The plot thickens

RiskIQ is working on a report on the (currently three, or possibly four) Magecart groups and has been helping compromised services like Shopper Approved (consumer ratings and review network) and Annex Cloud (analytics provider) recover.

The compromise of the latter has, so far, resulted in the revelation that the online shops of American department store chain Stein Mart and sports goods store Title Nine have also been affected.

With Shopper Approved and Annex Cloud servicing thousands of sites, the number of victim companies (and shoppers) is likely to be huge.

But, as Klijnsma pointed out, “the Magecart ‘saga’ isn’t about Newegg, British Airways, Ticketmaster or any other victim. It is about how we deal with online payments. It is time to consider a standard for secure forms with isolation as a standard.”

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.