Facepalm: Just as the holiday shopping season is beginning to kick into gear, fashion retail giant Macy's has disclosed its wallet and shopping cart pages of the company's website have been compromised by hackers. Although it was tightlipped with details, sources say it was a MageCart-style attack.
On Tuesday, fashion retailing giant Macy’s has issued an advisory to customers that its website servers have been breached by hackers. The attack was initiated on October 7, and the company was notified about it on October 15.
Macy's claims the attackers allegedly inserted an obfuscated script into the Checkout and My Wallet pages of the company's shopping website and skimmed data as it was submitted.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two (2) pages on [the Macy's website].”
As to the data that was leaked, the company’s notice said hackers obtained full names and addresses. More importantly, the attackers also had access to payment card numbers, along with their associated security codes and expiration dates. However, the company does not believe the data will be used for identity theft.
"There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name."
"There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name," the company told customers downplaying the severity of the attack. It wisely added, "Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer."
The way the hack worked is an inserted script on the compromised pages redirected traffic to a third-party server where the payment data was intercepted. This is known as a MageCart attack, named after the consortium of hackers that have used this technique to breach more than 17,000 other websites, including Newegg, Quest Diagnostics, and British Airways.
Since this method only skims data as it is submitted to the targeted website, not all customers were affected. Only those who visited and attempted to make purchases during the attack are at risk, which Macy's claims is only a small number of its customers.
“We are aware of a data security incident involving a small number of our customers on [the website],” a Macy’s spokesperson told BleepingComputer, who broke the story. “We have investigated the matter thoroughly, addressed the cause, and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”
"[This] was likely more of an opportunistic cyberattack involving certain vulnerable components identified by the malicious threat actors rather than a targeted attack against Macy's."
As soon as the company found out there had been customer data leaked, it contacted federal law enforcement authorities and employed “a leading class forensics firm” to help with the internal investigation. It has also sent out notifications to affected parties letting them know what they can do.
While Macy’s did not reveal details of its investigation, the security researcher that alerted the company to the attack told BleepingComputer that the script was sending the user data “to a C2 [command and control] server located on the Barn-x domain.
Oleg Kolesnikov, head of Securonix Threat Research Labs told TechSpot in a statement that the attack had earmarks of past similar breaches, but was probably not a targeted attack against Macy's.
"The infrastructure used in the attack, including the barn-x.com domain and the customized analysis.php script as part of a cPanel installation that was set up at the end of September 2019, a couple of weeks before the attack on Macy's was executed. [This breach] was likely more of an opportunistic cyberattack involving certain vulnerable components identified by the malicious threat actors rather than a targeted attack against Macy's."
Fortune reported a similar attack against Macy's occurred last year. In that breach, only 0.5 percent of customers had their data compromised. However, that one was a direct hack on the company's server, rather than a MageCart attack. Therefore, card security codes were not obtained since they are not stored by the website. The fact that the third party was able to skim CVVs gives this breach the potential to be far more damaging.
Image credit: Sundry Photography via Shutterstock