Pierluigi Paganini November 19, 2019

Macy’s has started notifying some of its customers that crooks used a software skimmer to steal their personal and financial information.

Macy’s has started notifying some of its customers that discovered a software skimmer on its website used by crooks to steal their personal and financial information.

The malicious software was discovered on October 15, attackers injected it into the checkout page and the My Account wallet page on the macys.com website.

Macy’s believes that the software skimmer was injected on October 7, it also notified law enforcement and it hired a forensic firm to help investigate the incident.

The analysis of the software skimmer revealed that it was designed to siphon data provided by customers on the desktop version of the Macy’s website. According to the notice published by the retailer, the mobile application and mobile website were not impacted.

“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.” reads the notice of data breach. “The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page – if credit card data was entered and “place order” button was hit; and (2) the wallet page – accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”

Information potentially accessed by the cybercriminals include: First Name; Last Name; Address; City; State; Zip; Phone Number; Email Address; Payment Card Number; Payment Card Security Code; Payment Card Month/Year of Expiration if the values for these items were typed into the webpage while on either the macys.com checkout page or in the My Account wallet page. Customers checking out or interacting with the My Account wallet page on a mobile device or on the macys.com mobile application were not involved in this incident.

Macy’s alerted payment card issuers and announced additional security measures to prevent such incidents in the future. The retailer announced it will offer 12-month identity protection services for affected customers.

According to the experts, the specific software skimmer used in the attack suggests the involvement of one of the Magecart groups.

A researcher who wishes to remain anonymous told to BleepingComputer that the attack was carried out by one of the Magecart groups, he also shared the obfuscated Magecar script that was injected into the Macy’s website.

“When the attackers compromised the Macy’s website, they altered the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script to include an obfuscated Magecart script.” states BleepingComputer.

Pierluigi Paganini

(SecurityAffairs – Magecart, Macy’s)

[adrotate banner=”5″]

[adrotate banner=”13″]