Payment data of Macy's customers leaked due to a hacked website

Another MageCart card-skimming attack detected – hackers breached Macy's website

Malicious code detected in the online payment portal leaked customer payment-related data.

In their official Notice Of Breach, Macy's announced the incident that resulted in stolen data of various customers.^[1] The hack type is known as “MageCart attack”, during which hackers inject the malicious code into the page to obtain information like payment and personal details.^[2] The malicious JavaScript is typically placed into various parts of the web site, resulting in stealing payment information and other details submitted by customers.^[3]

The hack took place on October 7th, according to the official statement from the company. After malicious scripts got added to Checkout and My Wallet pages, any data provided on these pages got affected. Unfortunately, those details include credit card information, customer data, personal details, which all were sent to the remote site:

On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that onOctober 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.

Bad news: hackers accessed personal details

A whole week passed by since the initial attack. The company was alerted and took action to stop the unauthorized code on October 15th. During this time, attackers collected payment information, information including customer's first name, last name, address, city, phone number, state, zip code, email address, payment card number, security code, payment card expiration date, if provided on the page.

There is no information on a specific number of people affected in this data-stealing campaign. However, the company offered protection services for free for the ones affected:

We have reported the relevant payment card numbers to the card brands. In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to macys.com.

The company says that they have informed law enforcement institutions that are continuing investigations on the events. Also, particular credit card brands like Visa, American Express, Discover, and Mastercard have also been contacted to notify about possible fraud and other related issues due to the breach.^[4]

MageCart attacks are initiated after finding the vulnerability in the e-commerce domain

The alert involving Macy's attack came up from a researcher who found MageCart on the compromised website. The team of attackers compromised a particular https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script and included the malicious MageCart script that launched and sent the data submitted by customers to a C&C server Barn-x.com/api/analysis.php. The stolen information can be accessed once the criminal logins to the command and control server.

MageCart is a term used to describe an incident when legitimate commercial websites are compromised to steal valuable information from the customers.^[5] Attacks like this one have been recorded for years now and many other websites and retailers have suffered breaches.^[6]

Usually, such a campaign is possible due to a vulnerability in a website or the content management system. Once the flaw is used to gain unauthorized access, threat creators can inject needed scripts and wait for the information submitted by unsuspecting consumers. Once affected, the company needs to clean the malicious code completely and patch any vulnerabilities that allowed the injection of the code possible.