Minerva Studio - stock.adobe.com

Macy’s Magecart breach presages Christmas fraud spike

US retailer Macy’s admits some customer data was accessed by unknown actors during a week-long Magecart attack

In the run up to the festive shopping season, US department store chain Macy’s has become the latest high-profile victim of Magecart, with personal data on an undisclosed number of its customers – including credit card information, addresses, phone numbers and email addresses – leaked after being entered on a compromised web page.

The retailer became aware of the breach on 15 October, a week after two specific pages on its site – the checkout page and the wallet page accessed through the users’ accounts – were hacked via the insertion of malicious code.

The retailer was targeted by Magecart, which is a credit card fraud technique that skims card numbers in a supply chain attack by injecting malicious JavaScript into third-party software, such as that used by retailers in their online checkout systems. Previously implicated in the hacks of British Airways and Ticketmaster, Magecart is thought to be used by a number of different threat groups.

In a copy of a letter seen by Computer Weekly, which was issued on 14 November, Macy’s said: “We immediately began an investigation as soon as we suspected a problem. We quickly contacted federal law enforcement and brought in a leading class forensics firm to assist in our investigation.

“We have reported the relevant payment card numbers to the card brands. In addition, we have taken steps that we believe are designed to prevent this type of unauthorised code from being added to Macys.com.”

Macy’s said there was “no reason to believe” that the incident could be used by criminals to open new, fraudulent accounts, but nevertheless it has arranged to provide those affected by the breach with a 12-month subscription to Experian’s IdentityWorks fraud protection service (not Equifax).

Earlier in November, research from security firms Venafi and PerimeterX highlighted a spike in activity around online credit card fraud, occasioned by the late-November Black Friday sales event – at first a post-Thanksgiving shopping spree restricted to the US that has now gone worldwide – and the Christmas holidays.

Researchers spotted several techniques, both old and new, being tested against online retailers in the wild, as cyber criminals prepare to exploit the imminent online shopping boom.

Coming at this time of year, the Macy’s breach has highlighted the need for retailers and users to be hyper-vigilant, as Cybereason chief security officer Sam Curry pointed out.

“This is now the crazy holiday season, and adversaries know that. It is essential for retailers to start making crisis management more of a reflexive process. Imagine getting a hack-in-progress on Black Friday and prepare for that.

“Increasing vigilance means monitor more in the IT freeze that comes between Halloween and New Year. This is when IT is frozen, and hackers know it. That means they also know patching will be slow, changes to infrastructure won’t happen and responses will be conservative,” he said.

Nominet cyber security vice-president Stuart Reed added: “According to our research, more than a quarter of retailers have already been hit by a security breach in the past 12 months, and during the festive period the number of attacks will likely spike.

“These attacks can potentially be stopped if organisations have a clear view of network traffic going to and from their websites, as well as any brand adjacent websites that may be attempting to siphon off customer information.

“Macy’s eventually uncovered the attack by noticing a connection to another website. Thankfully, this attack was stopped relatively quickly, but all e-commerce sites will need to be extremely vigilant as the shopping season approaches and hackers begin their own shopping season.”

Outpost24 product manager Simon Roe said that for businesses such as Macy’s, the breach showed the need for continuous approaches to threat management, which is particularly important when considering critical web pages such as those exploited by Magecart in this instance.

Roe also shared advice for user customers: “On one hand, consumers should never assume complete security from any website. Customers should determine what practices they should employ to protect their card data. In some regions, credit card companies offer the possibility of locking down online purchases, which allows you a more granular control – unlock, shop, lock again.

“This decreases the window of opportunity for attackers, albeit at a cost on convenience. However, when it comes to protecting card data, users should be proactive in prevention,” he said.

Read more about Magecart

  • A fresh Magecart campaign is breaching websites on a massive scale using indiscriminate attacks exploiting misconfigured Amazon S3 buckets, say researchers.
  • Security vendor RiskIQ discovered several old Magecart domains that had been sinkholed were re-registered under new owners and are now engaged in fraudulent advertising activity.
  • Security researchers have discovered a Magecart group operating with impunity using bulletproof hosting services, including one in battle-scarred Ukraine.

Read more on Data breach incident management and recovery

Data Center
Data Management