[BreachExchange] Macy’s suffers online Magecart card-skimming attack, data breach

[Destry Winant]

https://www.zdnet.com/article/macys-suffers-online-magecart-card-skimming-attack/

Macy's has announced a data breach caused by Magecart card-skimming
code being implanted in the firm's online payment portal.

In a letter issued to customers, the company says that it was alerted
to the security incident on October 15, and the Macy's team quickly
found that card-skimming script had been injected into two pages on
the Macy's website.

The code, believed to have been injected on October 7, impacted the
Macy's checkout page and wallet page, the latter of which is accessed
through the "My Account" facility.

"The unauthorized code was highly specific and only allowed the
third-party to capture information submitted by customers," the US
department store chain said.

While the code was removed on the same day Macy's was alerted to the
problem, customers that have placed orders online or submitted
financial details into their wallets may have had their information
stolen.

This data includes first and last names, physical addresses, ZIP
codes, email addresses, payment card numbers, card security codes, and
expiration dates.

It is not known how many customers may have been embroiled in the
data-stealing campaign, which lasted at least a week before Macy's
knew of its compromise. However, a Macy's spokesperson told Bleeping
Computer that only a "small" number of customers were involved, and
they would be offered consumer protection services for free.

"We quickly contacted federal law enforcement and brought in a leading
class forensics firm to assist in our investigation," the company
says. "We have reported the relevant payment card numbers to the card
brands. In addition, we have taken steps that we believe are designed
to prevent this type of unauthorized code from being added to
macys.com."

This sort of incident is known as a Magecart attack, in which an
umbrella term used to describe card-skimming malware implants on
otherwise legitimate e-commerce domains.

Magecart attacks have been recorded at Ticketmaster, British Airways,
Newegg, and thousands of other websites.

These attacks are usually made possible through a vulnerability in a
website or its backend content management system (CMS). Once
unauthorized access is gained, threat actors inject JavaScript code
into a webpage dealing with financial information, sit back, and wait
for unsuspecting consumers to submit their payment card details.

This data is then harvested and sent to a command-and-control (C2)
server, where it may be used to create clone cards, for fraudulent
online purchases, or sold on in batch information dumps on underground
forums.

An anonymous researcher investigating the Macy's attack told Bleeping
Computer that a ClientSideErrorLog.js script was tampered with to host
Magecart code. Once a victim submitted their payment details, this
data was then whisked away to a remote C2 hosted at Barn-x.com.

When active Magecart campaigns are detected, malicious code needs to
be stripped out and any vulnerabilities that made the code injection
possible in the first place have to be resolved.

Cybersecurity researchers are sometimes able to track the campaigns
back to their C2s, which can be shut down by notifying hosts of their
malicious purposes. However, as recently discovered by RiskIQ, these
domains can be repurchased by threat actors once they are released
back to the market, and if Magecart callouts are still active, they
may be repurposed for ad fraud and malvertising.