Macy’s has started notifying some of its customers that discovered a software skimmer on its website used by crooks to steal their personal and financial information.
The malicious software was discovered on October 15, attackers injected it into the checkout page and the My Account wallet page on the
Macy’s believes that the software skimmer was injected on October 7, it also notified law enforcement and it hired a
The analysis of the software skimmer revealed that it was designed to siphon data provided by customers on the desktop version of the Macy’s website. According to the notice published by the retailer, the mobile application and mobile website were not impacted.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.” reads the notice of data breach. “The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page – if credit card data was entered and “place order” button was hit; and (2) the wallet page – accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”
Information potentially accessed by the
Macy’s alerted payment card issuers and announced additional security measures to prevent such incidents in the future. The retailer announced it will offer 12-month identity protection services for affected customers.
According to the experts, the specific software skimmer used in the attack suggests the involvement of one of the Magecart groups.
A researcher who wishes to remain anonymous told to BleepingComputer that the attack was carried out by one of the Magecart groups, he also shared the obfuscated Magecar script that was injected into the Macy’s website.
“When the attackers compromised the Macy’s website, they altered the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script to include an obfuscated Magecart script.” states BleepingComputer.
(SecurityAffairs – Magecart, Macy’s)