Tourist group having guided Segway city tour showing Magecart attack on online store

Segway’s Online Store Infected With a Credit Card Skimmer Used in a Large-Scale Magecart Attack Campaign

Segway’s online store ( suffered a Magecart attack that potentially allowed attackers to access customers’ credit card information.

Magecart attacks usually involve injecting malicious scripts into a website to capture customers’ payment card information during checkout.

Cyber security firm Malwarebytes discovered the infection after detecting the online store contacting a malicious domain (booctstrap[.]com) associated with previous Magecart attacks.

Attributing the compromise to the Magecart group 12, Malwarebytes said the threat actor had compromised the store at least since January 6, 2022.

Currently owned by the Chinese group Ninebot, the Magecart attack victim is the maker of the controversial two-wheeled self-balancing motorized personal transporter. The product has appeared in movies and is used by security agents during patrols. They’re also popular with tourists for leisure rides.

Magecart attack on Segway’s online store leveraged code embedded in an image

Malwarebytes said the hackers used malicious code embedded in an icon file to potentially steal credit card information.

“The threat actors are embedding the skimmer inside a favicon.ico file. If you were to look at it, you’d not notice anything because the image is meant to be preserved.”

However, careful analysis through a hex editor shows malicious Javascript code beginning with the ‘eval’ function.

The hackers disguised the file as a favicon.ico file for displaying the site’s logo on the browser. Despite the infection, the icon rendered correctly on the browser, further covering the attackers’ tracks.

The Segway Magecart attack threat actors used a “long and innocuous” Javascript code disguised as “Copyright” to load the skimmer dynamically on checkout pages. These tactics allow the threat actor to evade various security audits.

Malwarebytes believes that the attackers exploited a vulnerability in the Magento CMS running Segway’s online store or an installed vulnerable plugin.

Credit card skimmers frequently target vulnerable stores built on popular content management systems, including OSCommerce, WooCommerce, Magento, OpenCart, among others.

Magecart attack incidents growing since 2015

Various security groups have reported several Magecart attack incidents since 2015 from multiple groups.

Magecart Group 12 was responsible for a large-scale Magecart attack campaign against OpenCart online store installations in 2019, according to RiskIQ and FlashPoint. According to Microsoft’s RiskIQ’s December report, a Magecart attack occurs once every 6 seconds.

In 2018, Magecart Group 12 compromised the French advertising company Adverline and injected credit card skimmers on hundreds of Tokyo Olympics ticket reseller websites. Since its first detection, Magecart Group 12 has evolved its tactics to throw web application security experts off its trail.

“Magecart attackers continue to get more creative with their techniques in order to evade detection, especially given advancements in security solutions over the years,” said Uriel Maimon, Senior Director of Emerging Technologies at PerimeterX. “By hiding the skimmer script inside a favicon pretending to display the site’s copyright, neither manual code reviews, static code analysis or scanners could have detected this easily.”

The top five countries targeted by the group’s Magecart attack campaigns include the United States (55%), Australia (39%), Canada (3%), the UK (2%), and Germany (1%).

“The compromise of the Segway store is a reminder that even well-known and trusted brands can be affected by Magecart attacks. While it usually is more difficult for threat actors to breach a large website, the payoff is well worth it.” concludes the report.

Malwarebytes shared its report findings with the Segway before going public. However, the Magecart attack victim did not immediately confirm it had secured the online store.

According to various sources, the online store was still compromised when Malwarebytes published the report. Several other security products also detected the skimmer and blocked the website, marking it as containing dangerous content.

James McQuiggan, Security Awareness Advocate at KnowBe4, says cybercriminals have compromised many online stores and compromised many personal details and credit card details.

“Cybercriminals are always in it for the money. Whether via ransomware or one of the older methods, credit card skimming,” said McQuiggan. “In this situation, cybercriminals gain access via the third party parties who are attacked and have about sixteen lines of code injected into the application for credit card processing.”

He urged online store operators to monitor their web traffic for applications sending data from their websites to unknown locations.

“Organizations must monitor web traffic for applications sending data to unknown locations. A robust change management program to monitor code changes to sites and third-party products can reduce the risk of a successful attack and maintain a solid cyber resiliency.”