Digital Skimming and Magecart

6 Lessons Learned from the Segway Magecart Attack

6 Lessons Learned from the Segway Magecart Attack

Segway, the manufacturer of the motorized scooter famous for use by mall security officers and big city tourists alike, fell victim to a Magecart attack in early January 2022. According to reports, Magecart Group 12 pulled off the attack on the Segway e-commerce website by injecting malicious code in an icon file, which skimmed buyers’ payment card information when it loaded in their browser. It’s estimated that the attack lasted for at least two weeks and affected customers across several countries.

Cybercriminals hid malicious code in an icon file that displayed Segway’s logo on users’ browsers. Because the file wasn’t inherently malicious, it went undetected by anyone looking at the HTML source code. The logo was still rendered correctly in users’ browsers, so it wasn’t apparent that the file was compromised. The skimmer was dynamically loaded in users’ browsers and captured payment data when a buyer checked out. Researchers debugged the skimmer’s loader to reveal its command-and-control (C2) URL: booctstrap[.]com. This is a known skimmer domain that has been active for several months.

Lessons Learned

Here are six lessons we can learn from this breach:

1. Every e-commerce site is at risk of a digital skimming attack

Magecart attacks have become common since the first one was reported in 2016, and they extend beyond just the Magento platform. Successful digital skimming attacks have also been waged against OpenCart, Volusion and nearly every other e-commerce platform. Although attacks against smaller companies might not make prime time news, the Segway breach reminds us that client-side threats are alive and well — and that no business is safe.

2. Fraudsters are becoming more sophisticated

Magecart groups are known for switching up their tactics to evade detection, and the attack on Segway underscores their infamous ingenuity. In this attack, the malicious skimmer was embedded in a favicon. The image rendered properly on the client side, but examination of it with a hex editor revealed that it contained JavaScript that began with an eval function. Researchers discovered a piece of JavaScript named “Copyright” which dynamically loaded the skimmer on checkout pages. This tactic made the skimmer invisible to anyone who inspected the HTML source code.

3. Attackers will be bold for a big payday

Cybercriminals sometimes prefer to target low-hanging fruit: small, vulnerable sites that require less skill, time and effort to hack. But more sophisticated attackers do not shy away from larger brands in the name of a big payday. Macy’s, Proctor and Gamble’s First Aid Beauty and even the Baseball Hall of Fame have sustained Magecart attacks. And in all three of those cases, the attacks went on for several months before they were detected.

4. Keeping your CMS and plugins up-to-date is key

Segway’s digital store runs on Magento, a popular e-commerce content management system (CMS). Cybercriminals often target outdated and vulnerable CMS code, and experts speculate that’s how the hackers infiltrated the Segway site. Keeping platforms and applications up-to-date reduces the likelihood of vulnerabilities on your site.

5. Traditional security solutions can’t protect against Magecart attacks

Magecart and digital skimming attacks can easily fly under the radar because skimmers run on the client side, outside of the purview of typical web controls like web application firewalls (WAFs). Other tools — such as manual code reviews, static code analysis and scanners — don’t catch malicious code that loads dynamically in users’ browsers, as was the case in the Segway attack.

6. Magecart is just the tip of the iceberg

Magecart is only one example of an ever-growing array of client-side attacks, such as PII harvesting, formjacking, digital skimming, DOM modification and network manipulation. Cybercriminals target vulnerabilities in all third-party code, including payment iframes, chatbots, scripts for analytics, metrics and A/B testing, and resources from helper libraries such as jQuery. 70% of the average website is comprised of third-party code, leaving a vast attack surface for fraudsters to exploit.

How to Protect Yourself

Website owners need to get visibility into first-, third, and nth-party code that loads dynamically in users’ browsers. Leveraging a client-side web app security solution allows you to identify scripts that are accessing sensitive fields and exfiltrating personally identifiable information (PII) to unknown or suspicious domains, as well as code that has known vulnerabilities.

It is vital that website owners and security professionals have visibility into where client-side threats are coming from and easy access to the details around each security incident, including how scripts are interacting with your site, what additional scripts they are interacting with and exposure details. Then, a combination of content security policy (CSP) and granular client-side browser-based JavaScript blocking can appropriately mitigate the risk.

PerimeterX Code Defender provides comprehensive mitigation of client-side threats. Learn more about how the solution can prevent the theft of users’ account and identity information everywhere along their digital journey.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.