Macy's has announced that they have suffered a data breach due to their web site being hacked with malicious scripts that steal customer's payment information.
This type of compromise is called MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.
According to a 'Notice of Data Breach' issued by Macy's, their web site was hacked on October 7th, 2019 and a malicious script was added to the 'Checkout' and 'My Wallet' pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker's control.
"On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that onOctober 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture informationsubmitted by customers on the following two (2) macys.com pages: (1) the checkout page - if credit card data was entered and “place order” button was hit; and (2) the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019."
As part of this breach, attackers were able to access customer information and credit card information that includes the customer's first name, last name, address, city, state,zip, phone number, email address, payment card number, payment card security code, and payment card month/year of expiration if submitted on a compromised page.
Macy's states that they were alerted to this hack on October 15th, 2019, a full week after the site was breached and attackers were collecting payment information.
After the web site was cleaned, Macy's notified law enforcement and hired "a leading class forensics firm" to help with their investigation. They have also contacted all relevant credit card brands including Visa, American Express, Discover, and Mastercard to notify them of this breach.
Macy's told BleepingComputer that only a small amount of customers were affected and that they instituted additional security measures so this does not happen again.
"We are aware of a data security incident involving a small number of our customers on Macys.com," Macy's told BleepingComputer in a statement. "We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost."
Macy's has started sending out emails to those who were affected and advise them to monitor their credit card statement for suspicious or fraudulent activity. If anything is detected, consumers should immediately contact their credit card company and dispute the charge.
Macy's is also offering all users who were affected by this breach a free year of the Experian IdentityWorks credit monitoring service. Users will be able to sign up with the enclosed instructions and unique ID assigned to them.
The Magecart attack
A researcher who wishes to remain anonymous at this time, reported the Magecart attack to Macy's and shared some of its details with BleepingComputer.
When the attackers compromised the Macy's website, they altered the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script to include an obfuscated Magecart script.
The researcher told us that when a customer submitted their payment information, this script would launch and send the submitted information to a command and control server at Barn-x.com/api/analysis.php.
The attackers could then access any stolen payment information by logging into the command and control server.
Update 11/18/19: Added information about the magecart script and the C2 server.
Comments
chilinux - 4 months ago
"Macy's told BleepingComputer that only a small amount of customers were affected and that they instituted additional security measures so this does not happen again."
Has those additional security measures already been put in place yet?
Their checkout web page is still aggressively promiscuous with the amount of third party javascript code it makes use of. Upon loading of the macys.com/chkout page, the browser also loaded javascript from 15 different domains. While they have a content-security-policy, it lists 86 domains (!?!?) and gives all of those scripts rights to 'unsafe-inline' and 'unsafe-eval'. These are called *unsafe* for a reason and probably shouldn't be a permission extended to third-party scripts on a checkout page which takes credit card information. They also seem to be trying to leverage a "connect-src" setting in the content-security-policy, but again open it to 30 different domains. So while barn-x.com might not be permitted to get the information any longer, if the attacker can compromise any of 30 different domains they should still be good to go for profiting off macy's sheep.
It should also be stated that macy's checkout page also doesn't seem to make use of subresource integrity checking of javascript which may have made the Magecart javascript injection harder. Using SRI in the HTML of the checkout web page could have made the attack harder since they would have to also modify the HTML to change the SRI to match the modified javascript file. Yet the macy's checkout page still does not bother with making use of SRI.
I really wish someone would write a web browser extension that did a javascript and content-security-policy rating for the javascript exposure footprint of a loaded web page. Macy's seems to be leveraging on that their customers aren't aware of the number of third-party code is run and trusted in the browser during check-out.
Newegg, which also left it's customers open to a Magecart attack last year, currently has a content-security-policy for it's checkout page of 13 domains, no connect-src restrictions and no subresource integrity checking. However, Newegg does have the same "Trustwave" seal which states "Your credit card and identity information are secure" which was also on Newegg at the time of the Magecart credit card skimmer javascript code was active.
Dunne - 4 months ago
Magecart and other attack vectors are only getting smarter, and the number of sites that have implemented a Content Security Policy is shockingly low. This attack would have been completely avoidable with a properly managed CSP.
There are solutions out there that are low cost and easy to use. It could potentially save firms thousands in bad press and identity recovery repercussions.
Some sites also see an improvement in web performance since CSP implementation forces you to inventory your third-party scripts. It's a no brainer. Faster, safer websites make everyone happy!