Macy's is the latest victim of Magecart — don't be next!

Macy's is the latest victim of Magecart — don't be next!

With Black Friday looming and the opening of the holiday shopping season at our doorstep, U.S. department store chain Macy’s announced earlier this week that some of its customers’ online payment information was skimmed in another Magecart web skimming attack. 

In a breach notice sent to customers, the company explained that a web skimmer was discovered on Macys.com collecting customers’ payment card details. The notice went on to say that “an unauthorized third party added unauthorized computer code” to the Macy’s website on Oct. 7. This code, which was discovered and removed on Oct. 15, was gathering sensitive personal information, such as names, addresses, phone numbers, email addresses, and payment card information (including the number, security code, and expiration dates). 

This attack is just the latest in a string of web skimming attacks that are becoming increasingly popular with cybercriminals. In fact, the FBI recently issued a warning for both public and private enterprises in the United States, warning them about the dangers of e-skimming attacks like those carried about by Magecart. 

What is a Magecart attack? 

Magecart refers to a loose affiliation of attack groups that use web skimming, or e-skimming, to carry out attacks on websites — typically targeting payment card details by inserting web skimming code to monitor and steal sensitive information like names, birth dates, or credit card numbers. Attackers often infect third-party scripts with malicious virtual skimmers that will run in the browser when a page is loaded, monitoring data being entered into form fields and sending it back to attackers. 

Magecart attacks have been disclosed at Ticketmaster, British Airways, and Newegg — and earlier in the year, it was reported that Magecart has infected over 2 million websites and has directly breached at least 18,000 domains. 

Attack guide: How Magecart skimming attacks workRelated Solution brief

What happened during the Macy’s attack? 

It is not currently known how many people were affected by the payment-card attack, but it’s important to look at what went wrong to try and avoid the same mistakes. 

An anonymous security researcher investigating the attack told Bleeping Computer that attackers altered the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script in order to include the Magecart code. This code executed any time a customer submitted their payment details, sending payment information to a remote server owned by the attackers, hosted at Barn-x.com. 

Web skimming attacks like those carried out by Magecart take advantage of the lack of control of the JavaScript being run in the browser by a website. Third-party scripts and code are often used by IT teams to implement features like live chat, shopping carts, analytics, or online retargeting tools. While the use of scripts are extremely common, arguably unavoidable, in modern web development — they also leave many organizations vulnerable to attack. 

In addition, web skimming attacks are nearly impossible for web teams to identify because they are taking place beyond the security edge, directly in the visitor’s browsers. This means that the data exfiltration takes place in the browser without ever interacting with an organization’s website server, leaving traditional security solutions like web application firewalls in the dark. 

Traditional techniques like traffic inspection and auditing won’t detect a breach when it’s happening — meaning most Magecart attacks are only discovered after the damage has already been done. 

For a Magecart attack to be successful, there is usually a chain of failure starting with either a server being exploited or third-party hosting resources being compromised. While many organizations put protections in place to prevent such breaches, flaws happen and holes exist. When an attacker finds a hole and injects their malicious code, there will often be a period of time before the attack is discovered where customer data is being stolen.

On-demand webinarThe Macy’s Magecart madness: highly specific unauthorized codeWatch now

Avoid being caught up in the holiday fraud spike — protect your website against third-party vulnerabilities

Magecart attacks aren’t slowing down — especially with the holiday shopping season fast approaching. But that doesn’t mean you have to wait around and allow your customers’ data to be stolen by Magecart.

Protecting your web application’s first-party infrastructure alone is not enough and still leaves you vulnerable to web skimming attacks. As demonstrated by the Macy's incident, once attackers have a way into your application, they are free to exfiltrate data as they wish until they are detected. The best defense against web skimming is to prevent all unauthorized JavaScript access to sensitive data that may be in form fields or stored in website cookies. 

Instart Web Skimming Protection intercepts all API calls from any JavaScript in the browser and automatically blocks access to all HTML form fields and cookies, unless they have been given explicit permission. This zero-trust approach prevents any script, whether malicious, infected, or non-critical, from gaining access to sensitive customer data and protects your apps, your customers, and your brand from a breach.

By adopting a zero-trust approach to third-party JavaScript, you will be able to prevent the threat without having to rely on methods that are simply not reliable or capable of detecting a Magecart breach. That way, even when (not if) you get infected by a Magecart skimmer, the infected script won’t be able to access anything valuable. 

After all, you can’t steal what you can’t see. 

Don’t remain powerless against web skimming — take steps today to protect your customers, your apps, and your brand.Request a demo