Macy’s suffers online Magecart card-skimming attack, data breach

The department store detected malicious code in its online payment portal.

What happens after a data breach in a major company? Nothing good, says Wall Street The stock market does not take cybersecurity incidents kindly, it seems.

Macy's has announced a data breach caused by Magecart card-skimming code being implanted in the firm's online payment portal. 

In a letter issued to customers, the company says that it was alerted to the security incident on October 15, and the Macy's team quickly found that card-skimming script had been injected into two pages on the Macy's website. 

The code, believed to have been injected on October 7, impacted the Macy's checkout page and wallet page, the latter of which is accessed through the "My Account" facility. 

"The unauthorized code was highly specific and only allowed the third-party to capture information submitted by customers," the US department store chain said. 

While the code was removed on the same day Macy's was alerted to the problem, customers that have placed orders online or submitted financial details into their wallets may have had their information stolen. 

See also: Your business hit by a data breach? Expect a bill of $3.92 million

This data includes first and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes, and expiration dates. 

It is not known how many customers may have been embroiled in the data-stealing campaign, which lasted at least a week before Macy's knew of its compromise. However, a Macy's spokesperson told Bleeping Computer that only a "small" number of customers were involved, and they would be offered consumer protection services for free.

"We quickly contacted federal law enforcement and brought in a leading class forensics firm to assist in our investigation," the company says. "We have reported the relevant payment card numbers to the card brands. In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to macys.com."

This sort of incident is known as a Magecart attack, in which an umbrella term used to describe card-skimming malware implants on otherwise legitimate e-commerce domains. 

Magecart attacks have been recorded at Ticketmaster, British Airways, Newegg, and thousands of other websites. 

TechRepublic: PrivSec conference highlights CISO concerns and future data privacy laws

These attacks are usually made possible through a vulnerability in a website or its backend content management system (CMS). Once unauthorized access is gained, threat actors inject JavaScript code into a webpage dealing with financial information, sit back, and wait for unsuspecting consumers to submit their payment card details. 

This data is then harvested and sent to a command-and-control (C2) server, where it may be used to create clone cards, for fraudulent online purchases, or sold on in batch information dumps on underground forums. 

An anonymous researcher investigating the Macy's attack told Bleeping Computer that a ClientSideErrorLog.js script was tampered with to host Magecart code. Once a victim submitted their payment details, this data was then whisked away to a remote C2 hosted at Barn-x.com. 

When active Magecart campaigns are detected, malicious code needs to be stripped out and any vulnerabilities that made the code injection possible in the first place have to be resolved. 

CNET: Ring doorbells and the police: What to do if surveillance has you worried

Cybersecurity researchers are sometimes able to track the campaigns back to their C2s, which can be shut down by notifying hosts of their malicious purposes. However, as recently discovered by RiskIQ, these domains can be repurchased by threat actors once they are released back to the market, and if Magecart callouts are still active, they may be repurposed for ad fraud and malvertising. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0