Macy’s has revealed that they have been affected by a data breach which was caused by Magecart card-skimming code being implanted in the firm’s online payment portal.
The company stated in a letter issued to customers, that they were alerted to the security incident on October 15, and the Macy’s team immediately found that card-skimming script had been injected into two pages on the Macy’s website.
The code was believed to be injected on October 7, affecting the Macy’s checkout page and wallet page. The wallet page can be accessed through the “My Account” option.
The unauthorized code was highly specific and only allowed the third-party to capture information submitted by customers.
The code was removed instantly on being alerted of the issue, but the customers who have placed orders online or submitted financial details into their wallets are believed to have their information stolen.
This data includes first and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes, and expiration dates.
The number of customers affected by the breach is not known at the moment. According to a Macy’s spokesperson only a small number of customers were involved, and they would be offered consumer protection services for free.
He also added that they have contacted federal law enforcement and brought in a leading class forensics firm to assist in their investigation. They have also reported the relevant payment card numbers to the card brands. Besides, they have also taken measures to prevent this type of unauthorized code from being added to macys.com.
This type of attack is known as a Magecart attack, which is a term used to describe card-skimming malware implants on otherwise legitimate e-commerce domains.
Magecart attacks were carried on Ticketmaster, British Airways, Newegg, and numerous other websites.
This data is then gathered and sent to a command-and-control (C2) server, from where it may be used to create clone cards, for fraudulent online purchases, or sold on underground forums.
According to an anonymous researcher investigating the Macy’s attack, a ClientSideErrorLog.js script was tampered with to host Magecart code.
When active Magecart campaigns are detected, malicious code has to be cleared and any vulnerabilities that made the code injection possible have to be resolved.