# Newegg appears to be infected with some kind of social engineering hack



## R-T-B (Nov 15, 2015)

*UPDATE:  As of Oct 14th 9PM PST this seems fixed.*

*Old Post below:*

What the title says.  Someone appears to have uploaded a script to newegg that tries to trick you into downloading a fake flash player.  Please be very careful.

I admit, it could just be my machine and browser, but...  I tried it on several remote ones and every browser I could think of and got the same result.  So I'm posting a warning.

Offending link example:

http://www.newegg.com/Product/Product.aspx?Item=N82E16820147466&cm_re=950_pro-_-20-147-466-_-Product

Screenshot:






@Newegg_Service


----------



## R-T-B (Nov 15, 2015)

Offendng file it offers to download virus total, from a linux box:

https://www.virustotal.com/en/file/...153213290962021cca4ec5bf/analysis/1447555584/

As newegg appears to have been compromised, I would not order a thing from them until this is sorted out and a statement made.


----------



## jboydgolfer (Nov 15, 2015)

doesnt happen when i go to link. Hmmm .  but thanks just the same


----------



## hat (Nov 15, 2015)

I just did a little browsing there, and nothing like that comes up on my end.


----------



## R-T-B (Nov 15, 2015)

jboydgolfer said:


> doesnt happen when i go to link. Hmmm .  but thanks just the same



It takes roughly 15 seconds of browsing to display.  Also it only appears on certain product pages.

Reddit confirms it:

https://www.reddit.com/r/Newegg/comments/3suni0/when_i_go_to_neweggs_website_it_tells_me_my_flash/

EDIT:  Perplexing that some people aren't seeing it.  Is it perhaps ISP or regional?  It's definitely more than just me and my machines.

Please post if you see it as well.


----------



## Solaris17 (Nov 15, 2015)

nothing over here.

whats that shield icon to the left of your URL box? it looks familiar.


----------



## R-T-B (Nov 15, 2015)

Solaris17 said:


> nothing over here.
> 
> whats that shield icon to the left of your URL box? it looks familiar.




Firefox tracking protection.  (well cyberfox, but same damn source code.  64-bit recompile essentially).


----------



## jboydgolfer (Nov 15, 2015)

makes me nervous.


----------



## R-T-B (Nov 15, 2015)

Yeah, it's weird.

You guys running an ad or javascript blocker by chance?  I'm not trying to scare people and I'll feel like such a dunce if it's my end.


----------



## jboydgolfer (Nov 15, 2015)

i do run adblock


----------



## Jetster (Nov 15, 2015)

Its not Newegg. I been on Newegg all day and no blocker. I forget when you live maybe you have been redirected by a virus on a server somewhere


----------



## Solaris17 (Nov 15, 2015)

R-T-B said:


> Yeah, it's weird.
> 
> You guys running an ad or javascript blocker by chance?  I'm not trying to scare people and I'll feel like such a dunce if it's my end.



I was. I disabled it and did a shift+F5 a few times and couldn't reproduce.


----------



## jboydgolfer (Nov 15, 2015)

nope , cant reproduce. east coast north america.

appreciate the heads up though.


----------



## Solaris17 (Nov 15, 2015)

I'm going to be straight with you RTB I think your browser is infected and you should look in your programs list and in firefox for default search engine/extension tampering.


----------



## Jetster (Nov 15, 2015)

I think adobe has a web site to check your flash player

https://www.adobe.com/software/flash/about/


----------



## blunt14468 (Nov 15, 2015)

No issues for me ....


----------



## R-T-B (Nov 15, 2015)

Solaris17 said:


> I'm going to be straight with you RTB I think your browser is infected and you should look in your programs list and in firefox for default search engine/extension tampering.



I really am going to feel like a moron if that's the case.  But I'm pretty sure it's not because I've done everything including logging into a BSD server in Seattle via VNC (it hillariously offers me the same exe).

Plus there is a reddit thread on this.  Pretty fresh.

https://www.reddit.com/r/Newegg/comments/3suni0/when_i_go_to_neweggs_website_it_tells_me_my_flash/

I think it's honestly something on west coast comcasts end at this point.  My appologies if it can't be reproduced.  Better safe than sorry, I figure.


----------



## jboydgolfer (Nov 15, 2015)

i see in the pic in your OP that your page is Still loading, its on "sellpoints" , if it took 15 seconds for that popup to appear and your page is still loading, i have to think that isnt normal for newegg...mine always loads in 2-3 seconds..


----------



## Solaris17 (Nov 15, 2015)

R-T-B said:


> I really am going to feel like a moron if that's the case.  But I'm pretty sure it's not because I've done everything including logging into a BSD server in Seattle via VNC (it hillariously offers me the same exe).
> 
> Plus there is a reddit thread on this.  Pretty fresh.
> 
> ...



sh if thats the case it might be a forwarding problem for an add in comcasts root DNS servers. It happened in my zone a few weeks ago. I would get redirected to all sorts of shit. Called up the ISP and they too were freaking out. It was a good 12 hours. All of my domain controllers were poisoned.


----------



## R-T-B (Nov 15, 2015)

Solaris17 said:


> sh if thats the case it might be a forwarding problem for an add in comcasts root DNS servers. It happened in my zone a few weeks ago. I would get redirected to all sorts of shit. Called up the ISP and they too were freaking out. It was a good 12 hours. All of my domain controllers were poisoned.



Yeah well haphazard as this warning may have been, looks like it's at least an isolated incident to my region.

If it's not newegg's fault, I seriously apologize if I hurt their sales any over this, heh.  Just being cautious.



jboydgolfer said:


> i see in the pic in your OP that your page is Still loading, its on "sellpoints" , if it took 15 seconds for that popup to appear and your page is still loading, i have to think that isnt normal for newegg...mine always loads in 2-3 seconds..



Yeah it's definently not normal behavior for me.  Or those reddit users.  What's weird is it's only newegg...  seems like if I was poisoning a DNS it would be everyone.


----------



## newtekie1 (Nov 15, 2015)

I can confirm, it just happened to me.  Using Chromium w/ Adblock enabled.  It definitely isn't just you R-T-B.


----------



## R-T-B (Nov 15, 2015)

newtekie1 said:


> I can confirm, it just happened to me.  Using Chromium w/ Adblock enabled.  It definitely isn't just you R-T-B.



Maybe browser cache?  I clear my cache on exit.  Maybe they have to wait for their cache to expire/flush to see it.


----------



## Jetster (Nov 15, 2015)

Okay Mine just did it too

Where do you live?


----------



## R-T-B (Nov 15, 2015)

Jetster said:


> Okay Mine just did it too



And you guys had me thinking it was just me, lol.

I'm looking through the page source and trying to find where it loads, but it's code soup.  I suspect it's an infected .js file.


----------



## Jetster (Nov 15, 2015)

So I clicked on it and Kasperski blocked the link


----------



## Eden Tosh (Nov 15, 2015)

My NewEgg page has been doing the same thing, haven't tried it on my phone. I have been trying to look for any posts about it, to see if it wasn't a virus on my end, and found this.


----------



## R-T-B (Nov 15, 2015)

Eden Tosh said:


> My NewEgg page has been doing the same thing, haven't tried it on my phone. I have been trying to look for any posts about it, to see if it wasn't a virus on my end, and found this.



I'm pretty sure it's newegg themselves that are infected.  I would hold off on ordering from them until they make a statement (don't want your CC getting skimmed or something nefarious, we don't know anything yet and should assume the worst).


----------



## Eden Tosh (Nov 15, 2015)

R-T-B said:


> And you guys had me thinking it was just me, lol.
> 
> I'm looking through the page source and trying to find where it loads, but it's code soup.  I suspect it's an infected .js file.


Yeah, the download host is something along the line of 
codehost ml for me, and the file it's trying to download is adobe_flashplayer_9.exe


----------



## R-T-B (Nov 15, 2015)

Eden Tosh said:


> Yeah, the download host is something along the line of
> codehost ml for me, and the file it's trying to download is adobe_flashplayer_9.exe




Yeah.  It's not even a modern pretend flash version, lol.

It's also a trojan.  Just in case I need to state the obvious:  DO NOT RUN IT.


----------



## Jetster (Nov 15, 2015)

I e mailed them


----------



## R-T-B (Nov 15, 2015)

Jetster said:


> I e mailed them



Thanks firing one off myself.


----------



## Eden Tosh (Nov 15, 2015)

Okay, I did order something off of the website last week, so hopefully I should be good, and hopefully my information I have stored there will be safe. That being compromised is the last thing I need right now.


----------



## Eden Tosh (Nov 15, 2015)

R-T-B said:


> Thanks firing one off myself.


Will do the same.


----------



## R-T-B (Nov 15, 2015)

Eden Tosh said:


> Okay, I did order something off of the website last week, so hopefully I should be good, and hopefully my information I have stored there will be safe. That being compromised is the last thing I need right now.



I ordered a PSU just recently.  I'm in the same boat as you man.


----------



## Hugis (Nov 15, 2015)

Confirmed here in Spain!


----------



## Jetster (Nov 15, 2015)

Well I sure your fine. Kaspereski blocked it and if it still trying then you must be ok


----------



## R-T-B (Nov 15, 2015)

Jetster said:


> Well I sure your fine. Kaspereski blocked it and if it still trying then you must be ok



I'm more concerned on if they had root access to the machine, they may have the Credit Card database.

I'm not really worried about the malware.

But we just have to wait and see.  It's possibly just a low level compromise.


----------



## newtekie1 (Nov 15, 2015)

R-T-B said:


> I'm pretty sure it's newegg themselves that are infected.



I'd bet it is more likely the 3rd party advertisement that is infected and causing it.  That is why some people get it, others don't.  Even I get it inconsistantly, even when loading the same page multiple times.  It happens a few times in a row, then doesn't a few times.  Even with Adblock enabled, part of the ad script is still loaded with the page.


----------



## R-T-B (Nov 15, 2015)

newtekie1 said:


> I'd be it is more likely the 3rd party advertisement that is infected and causing it.  That is why some people get it, others don't.  Even I get it inconsistantly, even when loading the same page multiple times.  It happens a few times in a row, then doesn't a few times.  Even with Adblock enabled, part of the ad script is still loaded with the page.



That's a very encouraging thought.  And plausible.  Newegg's page is riddled with 3rd party js anayltics shit...

Makes you think, eh?


----------



## Eden Tosh (Nov 15, 2015)

Yeah, must be something on Newegg's end, I run my anti-virus and nada. I'll probably stop browsing their site until this gets resolved, can't get a virus on my first home built computer only after five months of use!


----------



## R-T-B (Nov 15, 2015)

Eden Tosh said:


> Yeah, must be something on Newegg's end, I run my anti-virus and nada. I'll probably stop browsing their site until this gets resolved, can't get a virus on my first home built computer only after five months of use!



Not a bad idea...  I'm sure they'll tell us what was up / when it is fixed when they reply to our emails.


----------



## Eden Tosh (Nov 15, 2015)

R-T-B said:


> Not a bad idea...  I'm sure they'll tell us what was up / when it is fixed when they reply to our emails.


Yeah, I just wrapped up my email and tried to use their weird chat thing, but it's finicky.


----------



## R-T-B (Nov 15, 2015)

Eden Tosh said:


> Yeah, I just wrapped up my email and tried to use their weird chat thing, but it's finicky.



The chat folks probably aren't equipped to handle this anyhow.  Email is probably best for web security stuff.


----------



## Eden Tosh (Nov 15, 2015)

R-T-B said:


> The chat folks probably aren't equipped to handle this anyhow.  Email is probably best for web security stuff.


Yeah, but the chat won't even load I meant. It was a half-baked idea anyway. Newegg is probably already scrambling to try to fix this issue as we speak. It would be bad press that their site was compromised, with Black Friday/Cyber Monday just a few weeks away.


----------



## R-T-B (Nov 15, 2015)

Eden Tosh said:


> Yeah, but the chat won't even load I meant. It was a half-baked idea anyway. Newegg is probably already scrambling to try to fix this issue as we speak. It would be bad press that their site was compromised, with Black Friday/Cyber Monday just a few weeks away.



Yep.

And my opinion is that it's an ad-display partner that's infected, not newegg.  So it's probably all a bunch of hot air over nothing...  but can't be sure until they say something.  I'm betting that'll be as soon as someone wakes up their web admin (poor guy).


----------



## Eden Tosh (Nov 15, 2015)

R-T-B said:


> Yep.
> 
> And my opinion is that it's an ad-display partner that's infected, not newegg.  So it's probably all a bunch of hot air over nothing...  but can't be sure until they say something.  I'm betting that'll be as soon as someone wakes up their web admin (poor guy).


Yeah, I was surprised that there was a thread already open about this 10 minutes after I started getting this issue. Quick response from the user base for Newegg, I guess.


----------



## R-T-B (Nov 15, 2015)

Seems to have went away for me.


----------



## Maban (Nov 15, 2015)

I had this happen earlier on my tablet. It automatically downloaded.


----------



## R-T-B (Nov 15, 2015)

Maban said:


> I had this happen earlier on my tablet. It automatically downloaded.



Good thing most tablets are linux/android ARM and it's an exe.


----------



## remixedcat (Nov 15, 2015)

@Jetster are you in portland w cumcast?


----------



## remixedcat (Nov 15, 2015)

when did this happen actually? I had to enter my CC# for the premier thing and I hope to the cat gods that my number didn't get taken... it takes me freakin 2-3 weeks to get a new CC and there's other crap with my bank as well,...


----------



## R-T-B (Nov 15, 2015)

remixedcat said:


> when did this happen actually? I had to enter my CC# for the premier thing and I hope to the cat gods that my number didn't get taken... it takes me freakin 2-3 weeks to get a new CC and there's other crap with my bank as well,...


I suspect it was just an advertising partner misbehaving and not a breach.

Regardless, seemed to happen roughly 6PM PST, and ended about 9PM PST for me.


----------



## remixedcat (Nov 15, 2015)

Here's a handy report on the IP address this attack is originating from http://urlquery.net/report.php?id=1447553569796
Please see there lots of IPs to block in your firewalls to further secure yourselves from other malware/attacks as well. I blocked in my hardware and software firewalls and hostsfiles as well. I suggest y'all do so too


----------



## aasim1111 (Nov 15, 2015)

Now is it safe. I have been wanting to buy a gpu ND now finally it's on sale.


----------



## R-T-B (Nov 15, 2015)

aasim1111 said:


> Now is it safe. I have been wanting to buy a gpu ND now finally it's on sale.



I haven't got an official reply from newegg yet but it does seem fixed.


----------



## remixedcat (Nov 15, 2015)

Please, also everyone report the host reported in the following URL (Note Please do not report to/of netcraft but the site contained within the report) http://toolbar.netcraft.com/site_report?url=http://www.codehost.ml as well and tell them their hosting client is placed malware on the server. The more people report this activity to the webhosts the less infections we need to worry about... I know it's like cutting heads off a hydra, however at least it'll provide some breaks. However, in the meantime please block those IPs and such from the report I linked above in your firewalls and such.

CentriLogic Inc. is the ASN/NETBLOCK owner and alert THEM first. Then it will go down the food chain and that "PKHost" company's shit will get brought down BC there's a lot of malware coming from thier clients.


----------



## Jetster (Nov 15, 2015)

remixedcat said:


> @Jetster are you in portland w cumcast?


Close enough


----------



## Toothless (Nov 15, 2015)

Jetster said:


> I forget when you live maybe you have been redirected by a virus on a server somewhere


I live maybe 2 hours from him and I don't get anything like this from the egg.


----------



## remixedcat (Nov 15, 2015)

Posted this on newegg's FB page:


> For all that want to contact the owners of the IP address where the attacks originated from please contact support@centrilogic.com and be very nice and tell them the attacks came from codehost.ml and they are hosted with PKHost which resides on the network of Centrilogic. If we get rid of the source of the attacks we can save other webmasters/admins as well as newegg. source 1 http://toolbar.netcraft.com/site_report?url=http://www.codehost.ml source 2: http://urlquery.net/report.php?id=1447553569796 also source2 has IP addresses you can block in your firewalls till centrilogic or the other layers of the food chain can take action. Please be safe eggers!


----------



## remixedcat (Nov 15, 2015)

Blogged for its and shiggles: http://remixedcat.blogspot.com/2015/11/neweggcom-compromised.html


----------



## jboydgolfer (Nov 15, 2015)

didnt this all start after they added the "we stand together" insert on they're page? the "je suis paris" stuff regarding the terrorist attacks?


----------



## remixedcat (Nov 15, 2015)

Reply from the host they at least acknowledged it


----------



## Rhyseh (Nov 16, 2015)

I'd agree in saying its more likely an affiliate ad or plugin server, I doubt Newegg itself is compromised, else we would not likely be seeing the regional differences. Chances are high someone in a NOC is sending nasty emails to someone by now....


----------



## R-T-B (Nov 16, 2015)

Rhyseh said:


> I'd agree in saying its more likely an affiliate ad or plugin server, I doubt Newegg itself is compromised, else we would not likely be seeing the regional differences. Chances are high someone in a NOC is sending nasty emails to someone by now....



I'm nearly 100% confident it is now.  People have traced it to the ip range and newegg.com itself does not seem related.

To be clear, I really doubt Newegg itself was compromised.


----------



## remixedcat (Nov 16, 2015)

Like I said it wasn't newegg's server, however it's something that still needs to be stopped and newegg needs to obliterate all refs to  it from thier site's code. Stopping the code from running on multiple sites that ref this code would be super effective!  I hope that not just me reported it to the damn host or I'm gonna be pissed. Please everyone report it, hosts will listen more to multiple reports! we need to do this!


----------



## Mercennarius (Nov 16, 2015)

I was getting the exact same prompt on Anandtech.com's forum last week...

http://forums.anandtech.com/showthread.php?t=2453033


----------



## remixedcat (Nov 16, 2015)

and that Ip is going to softlayer in TX...

]also more IPs to block in my firewall


----------



## remixedcat (Nov 16, 2015)

softlayer now contacted...

and an interesting tid-bit about softlayer


----------



## Rhyseh (Nov 16, 2015)

Softlayer, AWS, Azure.... You get the same issue from all of them. AWS seem to be pretty responsive with this kind of stuff though.


----------



## rtwjunkie (Nov 16, 2015)

Don't know if related, but last night for about an hour Newegg ONLY showed Marketplace items, and any search by me for brand names MSI and EVGA brought back zero results. Lol.


----------



## xorbe (Nov 16, 2015)

I don't think Newegg was the only one with problem today.

On a fresh+updated install of Win7 on an undoubtedly clean machine (pw protected, only I use it), I went to FB was was redirected to a "notes" page on FB that was some sort of MLM scheme.  Creepy as hell.  Either dad's home router is compromised (seems unlikely, it's pretty new), or something tweaked on the FB server.


----------



## remixedcat (Nov 16, 2015)

well I have all the IPs and HOSTNAMES from both site reports on my firewalls on ALL VLANs. I suggest you do this as well.


----------



## Jetster (Nov 16, 2015)

Cool a gift.


----------



## R-T-B (Nov 16, 2015)

Wait, you got a gift?  Nice!


----------



## Jetster (Nov 16, 2015)

Its a Newegg Bennie. I already have one. If you want it Ill send it to  you. after all you started this


----------



## R-T-B (Nov 16, 2015)

Jetster said:


> Its a Newegg Bennie. I already have one. If you want it Ill send it to  you. after all you started this



Nah, throw it to someone else.  I don't really need it either...


----------



## jboydgolfer (Nov 16, 2015)

what happens to the PC if this update WAS downloaded? anyone know?
e.g. symptoms?


----------



## remixedcat (Nov 17, 2015)

bennie bunny? hehehehe

or an actual egg?

EGGIEEE!!!!!!

Also softlayer has not responded to the malware/abuse report (some of the Ip reports come from there according to some other people as well as ones on anand and other forums) and from what I've gathered thru the google SL is very hostile to abuse reporters and literally told someone to go away. Also told another live chatter that tehy can only listen to customers and no outsiders... shadyAF datacenter company even though they are one of the largest!! 
'
Soemone got DDoSed to the tune of 55Gbps and SL just jung up the phone!

webhostingtalk.com has so much dirt on this shiz it's nuts. 

It's like they protect people that use thier service to attack people!


----------



## Jetster (Nov 17, 2015)

Thanks for your work on this remixedcat Id send you the hat but don't you live in another country?


----------



## remixedcat (Nov 17, 2015)

am in the USA in WV so that would be nice  PM me


----------



## Rhyseh (Nov 18, 2015)

remixedcat said:


> bennie bunny? hehehehe
> 
> or an actual egg?
> 
> ...



I would take the negative press with a grain of salt. SoftLayer are owned by IBM these days and a number of banks and large enterprises utilise their services. Like most cloud providers they only really respond to emails for anything abuse related. Also they have been doing a fair bit of work to remediate the issue of people spinning up servers to be spam hosts. You should give their abuse blog a look through:

http://blog.softlayer.com/tag/abuse


----------



## remixedcat (Nov 18, 2015)

Just because IBM owns them doesnt automatic lly make em clean tho..


----------



## jsalpha2 (Nov 18, 2015)

I'm in Ohio and I saw the pop-up somewhere (maybe NewEgg) yesterday(?)  I had the latest version already so I did not click on the link.  Went to the Adobe site and checked there.
(Type "Test Adobe) in Google and it will show where to test shockwave and flash)
Please post a pic of the NewEgg Beany Baby!


----------

