[BreachExchange] Macy's data breach caused by a customized Magecart attack, research finds

Destry Winant destry at riskbasedsecurity.com
Thu Dec 26 10:00:16 EST 2019


- After Macy's disclosed a data breach last month, researchers from
RiskIQ found the code was "a highly customized Magecart skimmer,"
according to a report from CSO based on RiskIQ research. The code was
tailored to fit the retailer's "checkout process and customer
relationship workflows."
- RiskIQ determined the code compared to other Magecart skimmers and
only applicable to Macy's. The skimmer was designed for more than the
checkout process, targeting "valuable information," according to
- The code targeted select pages of Macy's website, according to CSO.
The hackers latched onto Macy's checkout and wallet page, enabling
them to manipulate the editing controls protecting customer payment
card numbers.

Dive Insight:

Magecart injects JavaScript into popular websites to skim for payment
data through point-of-sale portals. The malware can check for card
details and, once a validation is secured, the information is sent
back to its operators.

"While digital skimmers have been around for years, the customized use
of skimmers in attacks that target large e-commerce businesses is more
recent. But what remains the same is what bad actors exploit: website
design and operations processes that pay insufficient attention to
insecure or unauthorized third-party code," said Mike Bittner,
associate director of Digital Security and Operations for The Media
Trust, in an email to CIO Dive.

The retailer did not disclose how many customers were impacted by the
data breach, but California law requires a notification issue when at
least 500 people are impacted, according to the breach notice from the
office of California's attorney general.

The operators behind Macy's Magecart attack planted their code in
Macy's JavaScript file, ClientSideErrorLog.js, according to RiskIQ.
Researchers theorized the operators choose it for Macys.com checkout
and customer wallet.

Bad configurations or poor security hygiene leave the "the same entry
points" open for bad actors, said Bittner. If constant monitoring of
third-party code is not done, "to keep out unauthorized activities,
these attacks will continue simply because their success is almost

More information about the BreachExchange mailing list