TL;DR: if you bought anything from Newegg between August 14th and
September 18th, call your bank and get a new credit card. You can find
more details in these articles: NewEgg cracked in breach, hosted card-stealing code within its own
checkout | Ars Technica // Hackers stole customer credit cards in Newegg data breach |
TechCrunch // Magecart Strikes Again: Newegg in the Crosshairs | Volexity // Another Victim
of the Magecart Assault Emerges: Newegg
The credit-card skimming attack appears to have been done by Magecart, the organization behind earlier attacks on British Airways and Ticketmaster. If you are one of the customers victimized by one of
these attacks, it's not your fault, and there isn't much you could
have done to protect yourself (but read on for some tips). Sorry about that.
This article, Compromised E-commerce Sites Lead to
"Magecart", gives some useful advice. (It's way at the end, of
course; search for "Conclusion and Guidance".) The most relevant for
users is
An effective control that can prevent attacks such as Magecart is the use
of web content whitelisting plugins such as NoScript
(for Mozilla’s Firefox). These types of add-ons function by allowing the
end user to specify which websites are “trusted” and prevents the
execution of scripts and other high-risk web content. Using such a tool,
the malicious sites hosting the credit card stealer scripts would not be
loaded by the browser, preventing the script logic from accessing payment
card details.
Note that I haven't tried NoScript myself -- yet. I'll give you a review
when I do. They also advise selecting your online retailers carefully,
but I'm not sure I'd consider, say, British Airlines to be all that dubious.
(Ticketmaster is another matter.)
Impacts of a Hack on a Magento Ecommerce Website, which talks about
an attack on a site using the very popular Magento platform, gives some additional advice:
Shy away from sites that require entering payment details on their
own page. Instead prefer the websites that send you to a payment
organization (PayPal, payment gateway, bank, etc) to complete the
purchase. These payment organizations are required to have very strict
security policies on their websites, with regular assessments, so they are
less likely to be hacked or miss some unauthorized modifications in their
backend code.
They also suggest checking to see whether the website has had recent
security issues, and using credit cards with additional levels of
authentication (e.g. 2FA -- two-factor authentication).
Things are more difficult for retailers, but the best advice (from this article, again) is
Stay away from processing payment details on your site.
If your site never has access to clients’ payment details, it can’t be
used to steal them even if it is hacked. Just outsource payments to some
trusted third-party service as PayPal, Stripe, Google Wallet,
Authorize.net, etc.
Which is the flip side of what they recommend for shoppers. If the credit
card info isn't collected on your site, you're not
completely safe, but it avoids many of the problems, including
Magecart. Keep your site patched anyway.
If you insist on taking payment info on your own site, and even if you
don't, the high-order bit is this paragraph:
E-commerce site administrators must ensure familiarity and conformance to
recommended security controls and best practices related to e-commerce,
and particularly, the software packages utilized. All
operating system software and web stack software must be kept up to
date. It is critical to remain abreast of security advisories from the
software developers and to ensure that appropriate patch application
follows, not only for the core package but also third-party
plugins and related components. [emphasis mine]
Be careful out there!
( links )
Another fine post from
The Computer Curmudgeon, cross-posted to computer-curmudgeon.com.