Home › News ›
Hackers breached Macy’s website and hijacked customers’ payment info
Popular US department store chain Macy’s has revealed that its website was hacked with malicious scripts in an attempt to steal customers’ payment information.
According to Bleeping Computer, the online storefront — macys.com — was infected with “unauthorized code” on October 7 to its ‘Checkout’ and ‘My Wallet’ pages, allowing the bad actor to capture credit card data. Macy’s said it was alerted to the situation on October 15, a full week after the site was breached.
The attackers were able to access detailed personal information, including the customer’s full name and address, phone number, email address, payment card number, payment card security code, and payment card month/year of expiration if they were typed on one of the compromised pages.
Macy’s said it’s investigating the incident and added it had taken steps to prevent it from happening in the future. The company also told the publication only a small number of users were affected. As a corrective measure, it’s offering impacted customers one year of free credit monitoring.
We’ve reached out to the company for more details, and we’ll update the story if we hear back.
Increasing prevalence of Magecart attacks
Although spotted in the wild since 2010, this kind of intrusion — dubbed Magecart attack because of the threat actors’ initial preference for Magento e-commerce platform to gather illicit card data — has intensified over the last two years.
The attacks usually involve hackers compromising a company’s online store to stealthily siphon credit card numbers and account details of users who’re making purchases on the infected site by placing malicious JavaScript skimmers on payment forms.
“Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft,” cybersecurity firm RiskIQ noted in its report on the Magecart actors.
The recent wave of e-skimming attacks have grown so widespread — affecting over 18,000 websites — that it’s led the FBI to issue a warning about the emerging cyber threat and urging businesses to erect sufficient security barriers to protect themselves.
The intelligence agency, in an advisory posted last month, recommended that companies keep their software up-to-date, enable multi-factor authentication, segregate critical network infrastructure, and watch out for phishing attacks.
Other security measures could include employing obfuscation techniques to mask the actual HTML and JavaScript code the site runs on, so that it makes it difficult for attackers to reverse-engineer a program and insert malicious scripts.
As a customer, unfortunately, there isn’t much you can do to safeguard yourself from formjacking attacks. One course of action is to use a virtual payment card service such as Blur, MySudo, or Privacy.com.
That way, even if your credit card details get compromised, the attackers won’t be able to use it to make unauthorized payments on your behalf. But the downside to this approach is that they’re available only to US residents, so you’re out of luck if you live elsewhere.
If anything, the incident is yet another reminder that you practice good security hygiene, and be on the lookout for any instances of financial fraud or identity theft.