author photo
By Bruce Sussman
Tue | Nov 19, 2019 | 10:59 AM PST

Macy's is notifying online customers about a data breach after a cyberattack on its macys.com website.

What happened in the Macy's cyberattack?

The attack on macys.com was a homerun for those behind the card skimming and form-jacking scheme. They collected key pieces of information needed for them to commit even more identity and payment fraud.

Here's how the investigation unfolded:

"On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation.

Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.

The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page - if credit card data was entered and 'place order' button was hit; and (2) the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019."

Now, let's look at the information the cybercriminals had access to:

•  First name
•  Last name
•  Address
•  Phone number
•  Email address
•  Payment card number
•  Payment card security code (CVV)
•  Payment card month/year of expiration 

What do cybercriminals do with stolen credit card information?

This information needed to be typed into the web page while on either the macys.com checkout page or in the My Account wallet page for the hackers to have access to it.

And once they do, what happens?

Cybercriminals sometimes use this type of information to apply for additional credit cards in your name, or they can go shopping with your numbers right now because they have all the necessary information to make transactions look legitimate.

Another option is to sell this information on the Dark Web, which is a huge business.

Carder forums are places on the Dark Web where this kind of information is bought and sold every day. The U.S. government unsealed a federal indictment this month against a man who made his money by running carder forums, which are like an eBay for stolen credit and debit card information.

Federal prosecutors describe 29-year-old Aleksei Burkov's business like this:

"Burkov allegedly ran a website called 'Cardplanet' that sold payment card numbers (e.g., debit and credit cards) that had been stolen primarily through computer intrusions. Many of the cards offered for sale belonged to U.S. citizens. The stolen credit card data from more than 150,000 compromised payment cards was allegedly sold on Burkov's site and has resulted in over $20 million in fraudulent purchases made on U.S. credit cards."

Magecart attack hit Macy's

According to BleepingComputer, which shared the Macy's breach notification letter, this was a Magecart attack.

"A researcher who wishes to remain anonymous at this time, reported the Magecart attack to Macy's and shared some of its details with BleepingComputer."

Those details include how the attacker altered the scripting to enable the attack. 

Magecart attacks allow hackers to do exactly what happened here: alter the script on a website or webform, usually to grab what is being entered there by a customer or client. Some refer to this as a "form-jacking" attack.

Cybercriminals have a couple of entry points for this type of attack. They can either gain direct access to the website and its code, or they can attack a third-party vendor which supplies code to a website.

Examples of other big name organizations hit with Magecart attacks include British Airways and Ticketmaster.

Now, you can add Macy's to the list. It's at the end of the Magecart list for now, but probably not for long.

Comments