Segway, famous for its two-wheeled “hoverboards” that are widely used in several countries worldwide, has confirmed it has fallen victim to a cyberattack in which credit card data fell into the hands of hackers.
Segway’s online store was reportedly compromised on or before 6th January by the Magecart Group 12 hacking group. The group is named after its preferred approach to hacking, in which it integrates the Magecart script onto vulnerable e-commerce platforms. Once the script is in place, the group can steal credit card data by skimming intercepted transaction data from the infected website.
Was a vulnerability in popular e-commerce platform to blame?
The Segway data breach was first spotted by cybersecurity specialists Malwarebytes, who said the breach likely came about due to a vulnerability in the Magento Content Management System (CMS) the site was using. Magento is a massively popular platform for e-commerce websites, with a reported 170,000 sites using it. It’s unknown whether this was the definitive cause of the data breach, but all e-commerce platforms relying on Magento would be well served to be vigilant and ensure their software is up to date at the earliest opportunity.
How was malware hidden in the Segway website?
Malwarebytes said that having breached the website, hackers then placed the Magecart script in favicon icons. Favicons are the small icons you see on your browser tabs when using a website next to the website or page name. Such an approach is so effective as favicons are one of the last places anyone would look for suspect code. Even security professionals struggle to find such code unless they’re working with a hex editor.
Despite being such a complex hacking method, Techradar reports that BleepingComputer says this approach is “well-documented” and has been used by Magecart hacking groups – and given the name of the one responsible here, there are presumably at least 12 of them – for many years.
The cybersecurity specialists explained that the favicon in question, in this case, appeared to display Segway’s copyright. However, beneath the visible favicon was a second one, where the malicious code sits ready to steal unsuspecting customers’ credit card details.
According to BleepingComputer, several global brands, including Macy’s and British Airways, have been compromised in precisely this fashion in recent years.
Customers worldwide thought to be at risk
While Segway admitted a data breach had taken place, at the time of writing, no further details were available as to the scale of the incident. Segway had also not announced or posted anything publicly about the incident. While most customers with accounts on the Segway website are from the United States or Australia, consumers worldwide are potentially at risk if they’ve made a purchase from the site around or shortly after 6th January.
If you’ve recently made a purchase from Segway, you should ensure you keep a watch on the account with which you paid payment. If you’re worried about fraud, contact your card provider, explain the situation, and request that your card be cancelled, and a replacement sent.