Segway Hit by Magecart Attack Hiding in a Favicon

Visitors who shopped on the company’s eCommerce website in January will likely find their payment-card data heisted, researchers warned.

Segway, maker of the iconic – and much-spoofed – personal motorized transporter familiar from guided city tours everywhere, has been serving up a nasty credit-card harvesting skimmer via its website that’s likely linked to Magecart Group 12.

That’s according to Malwarebytes, which noted that “We already have informed Segway so that they can fix their site, but are publishing this blog now in order to raise awareness.” Segway, which is now owned by Chinese company Ninebot, did not immediately return a request for confirmation that the site is cleaned.

Magecart is a loose umbrella term encompassing various affiliated groups of financially motivated cybercriminals who all employ a similar skimming malware to harvest information – in particular payment-card information – that shoppers enter into checkout pages on eCommerce websites. Magecart 12 is one of the latest iterations of the group, which is known for consistently switching up its tactics.

Infosec Insiders Newsletter

Typically, across Magecart groups, the skimmers are injected into unsuspecting merchant websites by exploiting vulnerable versions of popular eCommerce platforms, such as outdated iterations of Magento or WooCommerce. That’s what researchers believe may have happened here.

“While we do not know how Segway’s site was compromised, an attacker will usually target a vulnerability in the CMS itself or one of its plugins,” the team explained, in a Monday posting. “The hostname at store.segway[.]com is running Magento, the popular content management system (CMS) used by many eCommerce sites and also a favorite among Magecart threat actors.”

In terms of this campaign’s specific characteristics, Malwarebytes analysts estimated that the skimmer has been active since about Jan. 6, and that it has so far exposed victims in the United States (which makes up 55 percent of site visitors), Australia (39 percent), Canada (3 percent), the UK (2 percent) and Germany (1 percent).

“The compromise of the Segway store is a reminder that even well-known and trusted brands can be affected by Magecart attacks,” Malwarebytes noted. “While it usually is more difficult for threat actors to breach a large website, the payoff is well worth it.”

Hiding Inside a Favicon

Researchers debugged the skimmer’s loader and was able to reveal its command-and-control (C2) URL, booctstrap[.]com, which is a known skimmer domain that’s been active since November. They also observed a piece of JavaScript, disguised as a file named “Copyright,” which isn’t inherently malicious itself but which dynamically loads the skimmer. The approach means that the skimmer is invisible to anyone inspecting the HTML source code, they explained.

Also of interest is the fact that the threat actors are embedding the skimmer inside a favicon.ico file. Favicons are small icon images that link to other websites.

“If you were to look at it, you’d not notice anything because the image is meant to be preserved,” according to the posting. “However, when you analyze the file with a hex editor, you will notice that it contains JavaScript starting with an eval function.”

Uriel Maimon, senior director of emerging technologies at cybersecurity company PerimeterX, noted that this type of innovation is becoming more common.

“Magecart attackers continue [to] get more creative with their techniques in order to evade detection, especially given advancements in security solutions over the years,” he said via email. “By hiding the skimmer script inside a favicon pretending to display the site’s copyright, neither manual code reviews, static code analysis or scanners could have detected this easily.”

Assume Magecart is Coming After Your eCommerce Site

The skimmer itself is a known quantity, researchers noted – it’s cropped up in campaigns since at least 2020, including those carried out by Magecart 12.

Further, the Magecart cybercriminal group overall has been operating for several years and has skimmed from many large organizations, stealing names, emails, credit-card information and more, all of which sells on the Dark Web for profit. Their activity is vociferous: A recent Risk IQ report in December found that a Magecart attack on a website happens once every 16 minutes.

Because of all of that, eCommerce merchants should assume they’re being targeted, noted James McQuiggan, security awareness advocate at KnowBe4.

“In this situation, cybercriminals…have about sixteen lines of code injected into the application for credit-card processing,” McQuiggan said via email. “Organizations must monitor web traffic for applications sending data to unknown locations. A robust change-management program to monitor code changes to sites and third-party products can reduce the risk of a successful attack and maintain a solid cyber resiliency.”

E-commerce businesses could also use a a real-time monitoring solution that detects access to sensitive fields and attempts to exfiltrate personally identifiable information from the client side, PerimeterX’s Maimon said.

“It is important that users of Magento understand the need to disrupt the web attack lifecycle by stopping the theft of account and identity information from their site, and implement a solution to help do that,” he explained. “Taking action before it is too late will also help prevent damage to the brand’s reputation as well as limit potential liability for non-compliance.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles