mdlbear: (technonerdmonster)
[personal profile] mdlbear

TL;DR: if you bought anything from Newegg between August 14th and September 18th, call your bank and get a new credit card. You can find more details in these articles: NewEgg cracked in breach, hosted card-stealing code within its own checkout | Ars Technica // Hackers stole customer credit cards in Newegg data breach | TechCrunch // Magecart Strikes Again: Newegg in the Crosshairs | Volexity // Another Victim of the Magecart Assault Emerges: Newegg

The credit-card skimming attack appears to have been done by Magecart, the organization behind earlier attacks on British Airways and Ticketmaster. If you are one of the customers victimized by one of these attacks, it's not your fault, and there isn't much you could have done to protect yourself (but read on for some tips). Sorry about that.

This article, Compromised E-commerce Sites Lead to "Magecart", gives some useful advice. (It's way at the end, of course; search for "Conclusion and Guidance".) The most relevant for users is

An effective control that can prevent attacks such as Magecart is the use of web content whitelisting plugins such as NoScript (for Mozilla’s Firefox). These types of add-ons function by allowing the end user to specify which websites are “trusted” and prevents the execution of scripts and other high-risk web content. Using such a tool, the malicious sites hosting the credit card stealer scripts would not be loaded by the browser, preventing the script logic from accessing payment card details.

Note that I haven't tried NoScript myself -- yet. I'll give you a review when I do. They also advise selecting your online retailers carefully, but I'm not sure I'd consider, say, British Airlines to be all that dubious. (Ticketmaster is another matter.)

Impacts of a Hack on a Magento Ecommerce Website, which talks about an attack on a site using the very popular Magento platform, gives some additional advice:

Shy away from sites that require entering payment details on their own page. Instead prefer the websites that send you to a payment organization (PayPal, payment gateway, bank, etc) to complete the purchase. These payment organizations are required to have very strict security policies on their websites, with regular assessments, so they are less likely to be hacked or miss some unauthorized modifications in their backend code.

They also suggest checking to see whether the website has had recent security issues, and using credit cards with additional levels of authentication (e.g. 2FA -- two-factor authentication).

 

Things are more difficult for retailers, but the best advice (from this article, again) is

Stay away from processing payment details on your site. If your site never has access to clients’ payment details, it can’t be used to steal them even if it is hacked. Just outsource payments to some trusted third-party service as PayPal, Stripe, Google Wallet, Authorize.net, etc.

Which is the flip side of what they recommend for shoppers. If the credit card info isn't collected on your site, you're not completely safe, but it avoids many of the problems, including Magecart. Keep your site patched anyway.

If you insist on taking payment info on your own site, and even if you don't, the high-order bit is this paragraph:

E-commerce site administrators must ensure familiarity and conformance to recommended security controls and best practices related to e-commerce, and particularly, the software packages utilized. All operating system software and web stack software must be kept up to date. It is critical to remain abreast of security advisories from the software developers and to ensure that appropriate patch application follows, not only for the core package but also third-party plugins and related components. [emphasis mine]

Be careful out there!

 
  @ NewEgg cracked in breach, hosted card-stealing code within its own checkout | Ars
    Hackers stole customer credit cards in Newegg data breach | TechCrunch
    Magecart Strikes Again: Newegg in the Crosshairs | Volexity
    Another Victim of the Magecart Assault Emerges: Newegg
    Inside and Beyond Ticketmaster: the Many Breaches of Magecart
    The British Airways Breach: How Magecart Claimed 380,000 Victims
    Impacts of a Hack on a Magento Ecommerce Website 

Another fine post from The Computer Curmudgeon, cross-posted to computer-curmudgeon.com.

Date: 2018-09-21 09:57 pm (UTC)
madfilkentist: Photo of Carl (Default)
From: [personal profile] madfilkentist
I use NoScript regularly. It's good but has its limitations. The problem is that many websites deliver much of their JavaScript functionality through third-party sites. If you use NoScript to enable just the site's own JavaScript, it often won't work. Then you have to guess which of the ten other sites you can trust. The thief seems to have used a domain name similar to NewEgg's, so people might have assumed it was safe and enabled it first.

This theft grabbed credit card data by JavaScript as it was being entered, so the best server-side protection in the world wouldn't help.

Date: 2018-09-22 12:23 pm (UTC)
madfilkentist: Photo of Carl (Default)
From: [personal profile] madfilkentist
It sounded to me as if the problem could have been "malvertising," though I didn't see it explicitly alluded to. Advertising sites are often very careless about what they allow in their ads, and they get a free ride (well, OK, a paid ride) onto big-name sites. The keylogger script could have been from such an ad.

Date: 2018-09-22 04:35 pm (UTC)
jcfiala: (Default)
From: [personal profile] jcfiala
Yeah, since a data breach at one online store a couple of years ago, I've been highly preferring paypal over any other form of payment.

Most Popular Tags

Style Credit

Page generated 2019-04-22 02:11 pm
Powered by Dreamwidth Studios