The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain’s TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers’ infrastructure.
The NewEgg attack is just one in what RiskIQ’s Klijnsma reports is a wave of attempted Magecart attacks. “Magecart attacks are surging,” Klijnsma said, noting that “RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly. Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large brands.”
Update, 5:08 PM ET: A spokesperson from Comodo defended the company’s certificate issuance in this case, telling Ars in an emailed statement, “Comodo CA had issued the DV certificate on August 13, 2018, after following all industry standards and Baseline Requirements from the CA/Browser Forum. While Certificate Authorities (CAs) can and must authenticate certificate requesters according to their validation level (EV, OV, or DV), they are not able to discern the intention of the certificate requester in advance of real-world use.”