High-quality Professional Digital Services

NewEgg Hacked by the Magecart Attack Using Skimmers to Steal Credit Card Information

Load WordPress Sites in as fast as 37ms!

There are many reasons to want to share one’s credit card information online, such as online purchases, subscriptions, and various payments. However, things can be pretty risky as your credit card information may be stolen and used for unlawful purposes.

Online consumers are told to look for a few red flags before entering credit card information on an e-commerce store. HTTPS, contact information, and site reputation all play a role in assessing a site’s credibility.

Credibility leads to trust for consumers ready to enter their credit card details but what they don’t know is, hackers that gain access to site code can install skimmers that steal data on a site that otherwise looks secure.

One of such flaws is the Magecart attack which recently affected British Airways. The Magecart attack allowed attackers to add a skimmer to NewEgg, which is one of the biggest online retailers for computer equipment and electronics.

Skimming Credit Card Data from Code

The term “skimmer” is a physical device which is installed on a payment machine. A skimmer tricks users into swiping their card and entering other private details such as the PIN when paying for a product.

One popular location for skimmer attacks is the gas station.  Since some pumps are usually out of the store attendant’s line of sight, the attacker can install a skimmer without being seen.

The skimmer usually has a small camera; this camera is usually attached to the pump to take a snapshot of the PIN as the user enters it in after swiping the card.

To detect a skimmer, you should take a close look at the pump’s credit card equipment. If it looks damaged, broken off or improperly installed, then the chances are high that there’s a skimmer in the pump.

Malicious JavaScript Injected into Shopping Cart Code

So how does the attacker retrieve the information? They leave the skimmer installed for a day or two, hoping that it takes many snapshots when unsuspecting users input their PIN; then they go to the gas station pump to collect the equipment and retrieve the images.

Going to the gas station pump to collect the equipment is one physical way an attacker can gain access to consumer credit cards, but there are also virtual methods. These virtual methods involve JavaScript injection into a target e-commerce site’s shopping cart system.

How the Magecart attack code was able to be injected into NewEgg’s shopping cart is still unknown, but researchers at RiskIQ were able to uncover the shopping cart page and the code that contained the skimmer.

The “CheckoutStepL.aspx” page was a part of NewEgg’s final shopping cart stage where users had entered their credit card information.

Since it’s a browser hack, the Magecart code is JavaScript code that is visible in the browser. However, since most users are unaware of the underlying code that powers web pages, the malicious code goes unnoticed.

The following is the code that skims credit card data from the main NewEgg shopping cart page:

Notice the “neweggstats.com” domain used in the jQuery function. The attacker registered a lookalike domain to avoid detection. An SSL cert for HTTPS encryption was even registered and installed on the domain, so any consumer who reviewed the site would assume that it was a safe site.

One trick attackers use to fool users is creating lookalike sites of the originals; this tricks users into thinking the site is the same as the original without checking the domain name carefully. Attackers also install an SSL certificate to make the trick harder to discover.

Having a lookalike site also avoids detection from developers who probably don’t question if the website is used to collect statistics. It’s not uncommon for several developers to edit the code base and add marketing URLs to it.

Developers could assume that the URL was added by another developer on direction from the marketing team.

How to Avoid This Attack

The JavaScript code used to skim credit card data is specific to NewEgg based on the HTML elements tied to the “mouseup” event. The “mouseup” event is triggered when the user moves the mouse up when browsing the web page

When the code is triggered, it grabs the credit card number from NewEgg’s shopping card page and sends it to the hacker’s third-party “neweggstats.com” server.

The entire process of skimming the credit card was completely invisible to the user, so it was able to remain on the site from August 14 to September 18, 2018, enough time to cause massive damage.

How the code got on the NewEgg site is still a mystery, but it’s possible that attackers were able to gain access to the code base. Another possibility is that the attacker was able to inject JavaScript on another form that did not validate input and then encode it when rendered on the page.

The latter is cross-site scripting (XSS), and it’s a common way for attackers to get their JavaScript on a page that they want to use to collect data.


Magecart is a silent attack that can leave any shopping cart susceptible to credit card skimmers. NewEgg fell victim for a month with no idea that their site pages had been compromised.

The Magecart attack is difficult to detect and defend against this attack when your code base is compromised, but validating and encoding JavaScript when it’s stored and rendered on a web page is one way to stop XSS abuse.

You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More