Macy’s Suffers Data Breach by Magecart Cybercriminals

Obfuscated Magecart script was discovered on two Macys.com webpages, scooping up holiday shoppers’ payment card information.

The department store Macy’s is warning that web skimmer malware was discovered on Macys.com collecting customers’ payment card information. The attack has been linked to Magecart, a notorious umbrella group made up of various cybercriminal affiliates that is known for injecting payment card skimmers into ecommerce websites.

According to a data breach notice sent to customers, “an unauthorized third party added unauthorized computer code” to Macys.com on Oct. 7. The code, which was discovered and removed on Oct. 15, was collecting customers’ first and last names, addresses, phone number and email addresses, payment card information (including number, security code, and expiration dates).

“There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name. Nonetheless, you should remain vigilant for incidents of financial fraud and identify theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer,” said Macy’s in its data breach notice.

The way web skimmer work is that they are injected by hackers into targeted websites and are designed to steal data entered into online payment forms on e-commerce websites. When a visitor goes to that website, popular skimmers – such as Pipka or Inter – will then scoop up personal details entered on the site.

The web skimmer that affected Macys.com target two company controlled web pages – the checkout page of the website and the My Wallet page. the My Wallet page allows customers to manage and use payment options, promotions, savings passes and can be accessed in their accounts. Macy’s said that customers who checked out with the My Account wallet page on a mobile device or on the Macy’s mobile application were not impacted.

“We are aware of a data security incident involving a small number of our customers on Macys.com,” a Macy’s spokesperson told Threatpost. “We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”

However, the attack surface could be huge. Macys.com has topped the list of retail apparel websites in terms of traffic traffic in 2019. In an April analysis of U.S. retail apparel site rankings, SimilarWeb cited Macys.com as number one with more than 55.7 million monthly visits.

An anonymous researcher reportedly linked the attack back to the Magecart group, an infamous loose affiliation of attack groups responsible for payment-card attacks on organizations from Forbes to First Aid Beauty. The researcher told Bleeping Computer that attackers altered the affected Macy’s web pages to include obfuscated Magecart script.

Macy’s consumers who are impacted should monitor their credit card statements for fraud-related activity. The company is also offering victims a free year of the Experian IdentityWorks credit monitoring service.

“We quickly contacted federal law enforcement and brought in a leading class forensics firm to assist our investigation,” said Macy’s. “We have reported the relevant payment card numbers to the card brands (i.e. Visa, Mastercard, American Express and Discover). In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to Macys.com.”

However, security pundits argue that retailers like Macy’s need to be better in ramping up extra security measures against web skimmer attacks proactively – particularly as companies like TicketmasterForbesBritish AirwaysNewegg continue making headlines for Magecart-related breaches.

“MageCart is not a mystery, by now, one might think that ‘additional security measures’ would be added to all websites as a matter of course, before hackers drop in some malicious code,” said Colin Bastable, CEO of Lucy Security, in an email. “That is the definition of a precaution. Macy’s has implemented what should be described as a security postcaution.”

Security experts for their part urge the importance of established policies for verifying that internet-facing infrastructure is securely configured and patched – particularly for retailers as the holidays loom.

“Having strong and robust third-party policies to restrict external access to sensitive information and only allow verified code or scripts to be executed will greatly reduce exposure,” James McQuiggan, security awareness advocate at KnowBe4, said in an email.

“And if a breach does occur, the attacker’s opportunity to get data is severely impeded,” he said. “Macy’s customers should pay extra attention to emails sent to them regarding the Macy’s breach, as criminals will leverage the attack to get them to click on phishing links for false sites or open attachments that contain malicious software.”

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles