Skip to main content

Segway store hacked, customer details stolen

Image of people riding segways
(Image credit: Maxmann via Pixabay)
Audio player loading…

Segway, the company most famous for its two-wheeled “hoverboard”, has confirmed it suffered a cyberattack that saw it leak credit card data to malicious actors.

The company’s online store was breached sometime around January 6, 2022 (possibly even earlier), by a group known as Magecart Group 12. As the name suggests, the group works to steal credit card information by integrating the Magecart script onto vulnerable online stores. The script intercepts transaction data during the checkout in an online store, which is a process also known as form jacking, digital skimming, or e-skimming. 

Cybersecurity researchers from Malwarebytes, which first spotted the breach, said it’s likely that the malicious actors exploited a vulnerability in the Magento CMS that the store uses. Once the CMS was breached, they embedded the skimmer in the last place anyone would look - the favicon files, images that are used to display small icons, such as website logos, in the web page browser (opens in new tab) tab. 

Hiding malware in icons

This particular image, Malwarebytes further explains, pretends to display the site’s copyright. On the surface, it does just that, but beneath, it loads an external favicon that holds the malicious JavaScript.

What makes it difficult for security pros to spot this script is the fact that it won’t be seen unless the page is analyzed with a hex editor. BleepingComputer claims that this technique has been “well-documented”, and that it’s been used by “skillful” Magecart groups, for years now. 

Claire's, Tupperware, Smith & Wesson, Macy's, and British Airways, have all been compromised in the same fashion, the company says.

As for Segway, most of its users come from the US (55%) and Australia (39%). We don’t know how many customers might be affected by this incident. Segway is yet to make an announcement, as the company’s newsroom page, blog, and Twitter account, have no mention of the breach.

Via: BleepingComputer (opens in new tab)

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.