Another MageCart card-skimming attack detected – hackers breached Macy's website
The hack took place on October 7th, according to the official statement from the company. After malicious scripts got added to Checkout and My Wallet pages, any data provided on these pages got affected. Unfortunately, those details include credit card information, customer data, personal details, which all were sent to the remote site:
On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that onOctober 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.
Bad news: hackers accessed personal details
A whole week passed by since the initial attack. The company was alerted and took action to stop the unauthorized code on October 15th. During this time, attackers collected payment information, information including customer's first name, last name, address, city, phone number, state, zip code, email address, payment card number, security code, payment card expiration date, if provided on the page.
There is no information on a specific number of people affected in this data-stealing campaign. However, the company offered protection services for free for the ones affected:
We have reported the relevant payment card numbers to the card brands. In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to macys.com.
The company says that they have informed law enforcement institutions that are continuing investigations on the events. Also, particular credit card brands like Visa, American Express, Discover, and Mastercard have also been contacted to notify about possible fraud and other related issues due to the breach.
MageCart attacks are initiated after finding the vulnerability in the e-commerce domain
The alert involving Macy's attack came up from a researcher who found MageCart on the compromised website. The team of attackers compromised a particular https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script and included the malicious MageCart script that launched and sent the data submitted by customers to a C&C server Barn-x.com/api/analysis.php. The stolen information can be accessed once the criminal logins to the command and control server.
MageCart is a term used to describe an incident when legitimate commercial websites are compromised to steal valuable information from the customers. Attacks like this one have been recorded for years now and many other websites and retailers have suffered breaches.
Usually, such a campaign is possible due to a vulnerability in a website or the content management system. Once the flaw is used to gain unauthorized access, threat creators can inject needed scripts and wait for the information submitted by unsuspecting consumers. Once affected, the company needs to clean the malicious code completely and patch any vulnerabilities that allowed the injection of the code possible.