Segway, the manufacturer of the motorized scooter famous for use by mall security officers and big city tourists alike, fell victim to a Magecart attack in early January 2022. According to reports, Magecart Group 12 pulled off the attack on the Segway e-commerce website by injecting malicious code in an icon file, which skimmed buyers’ payment card information when it loaded in their browser. It’s estimated that the attack lasted for at least two weeks and affected customers across several countries.
Cybercriminals hid malicious code in an icon file that displayed Segway’s logo on users’ browsers. Because the file wasn’t inherently malicious, it went undetected by anyone looking at the HTML source code. The logo was still rendered correctly in users’ browsers, so it wasn’t apparent that the file was compromised. The skimmer was dynamically loaded in users’ browsers and captured payment data when a buyer checked out. Researchers debugged the skimmer’s loader to reveal its command-and-control (C2) URL: booctstrap[.]com. This is a known skimmer domain that has been active for several months.
Here are six lessons we can learn from this breach:
1. Every e-commerce site is at risk of a digital skimming attack
Magecart attacks have become common since the first one was reported in 2016, and they extend beyond just the Magento platform. Successful digital skimming attacks have also been waged against OpenCart, Volusion and nearly every other e-commerce platform. Although attacks against smaller companies might not make prime time news, the Segway breach reminds us that client-side threats are alive and well — and that no business is safe.
2. Fraudsters are becoming more sophisticated
3. Attackers will be bold for a big payday
Cybercriminals sometimes prefer to target low-hanging fruit: small, vulnerable sites that require less skill, time and effort to hack. But more sophisticated attackers do not shy away from larger brands in the name of a big payday. Macy’s, Proctor and Gamble’s First Aid Beauty and even the Baseball Hall of Fame have sustained Magecart attacks. And in all three of those cases, the attacks went on for several months before they were detected.
4. Keeping your CMS and plugins up-to-date is key
Segway’s digital store runs on Magento, a popular e-commerce content management system (CMS). Cybercriminals often target outdated and vulnerable CMS code, and experts speculate that’s how the hackers infiltrated the Segway site. Keeping platforms and applications up-to-date reduces the likelihood of vulnerabilities on your site.
5. Traditional security solutions can’t protect against Magecart attacks
Magecart and digital skimming attacks can easily fly under the radar because skimmers run on the client side, outside of the purview of typical web controls like web application firewalls (WAFs). Other tools — such as manual code reviews, static code analysis and scanners — don’t catch malicious code that loads dynamically in users’ browsers, as was the case in the Segway attack.
6. Magecart is just the tip of the iceberg
Magecart is only one example of an ever-growing array of client-side attacks, such as PII harvesting, formjacking, digital skimming, DOM modification and network manipulation. Cybercriminals target vulnerabilities in all third-party code, including payment iframes, chatbots, scripts for analytics, metrics and A/B testing, and resources from helper libraries such as jQuery. 70% of the average website is comprised of third-party code, leaving a vast attack surface for fraudsters to exploit.
How to Protect Yourself
Website owners need to get visibility into first-, third, and nth-party code that loads dynamically in users’ browsers. Leveraging a client-side web app security solution allows you to identify scripts that are accessing sensitive fields and exfiltrating personally identifiable information (PII) to unknown or suspicious domains, as well as code that has known vulnerabilities.
PerimeterX Code Defender provides comprehensive mitigation of client-side threats. Learn more about how the solution can prevent the theft of users’ account and identity information everywhere along their digital journey.