Segway’s online store infected with credit card skimmer used in large-scale Magecart attack campaign


Segway’s online store ( suffered a Magecart attack that potentially gave attackers access to customers’ credit card information.

Magecart attacks typically involve injecting malicious scripts into a website to capture customers’ credit card information during checkout.

Cybersecurity company Malwarebytes discovered the infection after detecting that the online store was contacting a malicious domain (booctstrap[.]com) associated with previous Magecart attacks.

Attributing the compromise to the Magecart 12 group, Malwarebytes said the threat actor had compromised the store at least since January 6, 2022.

Currently owned by Chinese group Ninebot, the victim of the Magecart attack is the maker of the controversial two-wheeled self-balancing motorized personal transporter. The product has appeared in films and is used by security guards on patrol. They are also popular with tourists for leisure walks.

Magecart attack on Segway’s online store exploited code embedded in an image

Malwarebytes said hackers used malicious code embedded in an icon file to potentially steal credit card information.

“Threat actors embed the skimmer in a favicon.ico file. If you looked at it, you wouldn’t notice anything because the image is meant to be preserved.

However, careful analysis via a hex editor shows malicious JavaScript code starting with the ‘eval’ function.

The hackers disguised the file as favicon.ico file to display the site logo on the browser. Despite the infection, the icon is displayed correctly on the browser, further covering the traces of the attackers.

Segway Magecart attack threat actors used “long and innocuous” Javascript code disguised as “Copyright” to dynamically load the skimmer on checkout pages. These tactics allow the threat actor to evade various security audits.

Malwarebytes believes the attackers have exploited a vulnerability in the Magento CMS running Segway’s online store or an installed vulnerable plugin.

Credit card skimmers frequently target vulnerable stores built on popular content management systems including OSCommerce, WooCommerce, Magento, OpenCart, among others.

Magecart attack incidents increase since 2015

Various security groups have reported multiple incidents of Magecart attacks since 2015 from multiple groups.

Magecart Group 12 was responsible for a large-scale Magecart attack campaign against OpenCart online store installations in 2019, according to RiskIQ and FlashPoint. According to Microsoft’s RiskIQ December report, a Magecart attack occurs once every 6 seconds.

In 2018, Magecart Group 12 compromised French advertising company Adverline and injected credit card skimmers into hundreds of Tokyo Olympics ticket reseller websites. Since its first detection, Magecart Group 12 has evolved its tactics to throw web application security experts off its trail.

“Magecart attackers continue to get more creative with their techniques in order to evade detection, especially given the advancements in security solutions over the years,” said Uriel Maimon, senior director of emerging technologies. at PerimeterX. “By hiding the skimmer script in a favicon claiming to display the site’s copyright, neither manual code reviews, static code analysis, nor scanners could have detected it easily.”

The top five countries targeted by the group’s Magecart attack campaigns are the United States (55%), Australia (39%), Canada (3%), the United Kingdom (2%) and India. Germany (1%).

“The Segway store compromise reminds us that even well-known and trusted brands can be affected by Magecart attacks. Although it’s usually harder for hackers to hack a large website, the payoff is worth it. concludes the report.

Malwarebytes shared the findings of its report with the Segway before making it public. However, the victim of the Magecart attack did not immediately confirm that they had secured the online store.

According to various sources, the online store was still compromised when Malwarebytes published the report. Several other security products also detected the skimmer and blocked the website, marking it as containing dangerous content.

James McQuiggan, security awareness advocate at KnowBe4, says cybercriminals have compromised many online stores and compromised a lot of personal and credit card information.

“Cybercriminals are always in it for the money. Whether it’s through ransomware or one of the oldest methods, credit card skimming,” McQuiggan said. third parties that are attacked and have approximately sixteen lines of code injected into the credit card processing application.”

Magecart #hackers embedded the credit card skimmer in a favicon.ico file and dynamically loaded it with Javascript code on checkout pages. #cybersecurity #respectdataClick to tweet

He urged online store operators to monitor their web traffic for apps sending data from their websites to unknown locations.

“Organizations should monitor web traffic for applications that send data to unknown locations. A robust change management program to monitor code changes on third-party sites and products can reduce the risk of a successful attack and maintain strong cyber resilience.


About Author

Comments are closed.