Shopped online at Macy's last month? Might want to toss, or at least check, that card

Magecart making life difficult yet again for shopping website

US retailer Macy's says that hackers planted a card-stealing malware script on its site and harvested customer details for eight days last month.

A notice (PDF) posted by the long-operating department store chain said that, between October 7 and October 15 of this year, a Magecart script was running on the checkout page of its retail website.

The script was able to capture payment card details in two different ways: as it was being entered through the checkout page when placing an order, or if it was stored in the "wallet" page on the Macy's website and then used to place an order.

"On October 15, 2019, we were alerted to a suspicious connection between and another website," the retailer told exposed punters.

"Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on"

Unfortunately for Macy's customers, the script got pretty much everything needed for card fraud: card number, security code, and expiration date. Additionally, the malware was able to collect customer names as well as email and mailing addresses and phone numbers.

Macy's notes that only the webpage was compromised: users who made purchases with the mobile app were not exposed. Experts say that the attack appears to be a rather bog-standard Magecart operation, albeit an extremely successful one.


It's never good when 'Magecart' and 'bulletproof' appear in the same sentence, but here we are


"The fundamentals of the attack techniques and the obfuscated Javascript code used by the malicious Magecart threat actors in the Macy's cyberattack involving changes to two files on the Macy's website, including the ClientSideErrorLog.js file which is part of the common js/utils repository, are not new and appear to be similar to the digital skimming techniques and code used in a number of other Magecart attack variants we have seen in recent months," explained Oleg Kolesnikov of Securonix Threat Research Lab.

"The infrastructure used in the attack, including the domain and the customized analysis.php script as part of a cPanel installation that was set up at the end of September 2019, a couple of weeks before the attack on Macy's was executed, also appears to be similar to the one used in some of the earlier attacks, indicating that this was likely more of an opportunistic cyberattack involving certain vulnerable components identified by the malicious threat actors rather than a targeted attack against Macy's."

That these sort of Magecart operations continue to succeed is a bad sign for both retailers and security providers. Because the code can be covertly injected directly into a webpage, Magecart attacks can be harder to spot than POS malware or infections that need to reside within the server's firmware.

Macy's customers who were exposed in the attack (a number was not given) would be well advised to keep a close eye on their bank statements over the next few months or, better yet, have their bank card replaced entirely. ®

Biting the hand that feeds IT © 1998–2021