What Can We Learn from the Famous Macy’s Magecart Cyberattack?

macys_magecart
Share article

The Macy’s Thanksgiving Day Parade has been held in New York City every year since 1924 and has also been televised on NBC since 1953. This national institution is followed by Black Friday which heralds the start of the holiday shopping season, but since the Macy’s Magecart attack of 2019, it’s also become a time of nervousness for online shoppers and businesses alike.

The Macy’s Magecart attack was the first to use malicious code specifically customized to target a single website and skim credit card details from shoppers’ wallets, along with personal identifying information. Researchers believe that this kind of highly targeted attack could signal a new trend for web skimmers from now on. It’s not known how many customers were affected by the attack and Macy’s claimed it was only a few, but as the hack was up and running for eight days, a high number seems likely.

How Did it Work?

Skimming typically involves attackers injecting unauthorized code into checkout and wallet pages. The script in this case was a heavily adapted Magecart skimmer that slotted in perfectly with the company’s customer relationship and checkout processes, and this is what was so surprising to analysts. Normal Magecart attacks carried out by more than a dozen groups are not usually so customized, but this one was adapted to the point where it wouldn’t work on any other website!

Rather than using supply chain attacks to implant the code, the attackers accessed Macy’s web server itself, modifying a JavaScript file called ClientSideErrorLog.js., probably because it was loaded on both the customer wallet page and the Macys.com checkout page.

A Broader Attack

Web skimmers have previously targeted a single page (such as checkouts where shoppers enter their payment details) to lower the chance of discovery, but this has also made it easier for security professionals to monitor one place for malicious code.

But on this occasion, the attackers chose to exploit every opportunity they could find, including a page called the wallet, where shoppers can save cards for quicker checkouts in the future.

Card numbers are usually masked with asterisks on these pages, but the Macy’s Magecart skimmer got around this by compromising the wallet functions used to handle payment cards. This approach has been a devastating innovation for skimming customer data.

New Account Credentials Targeted

Like many other retailers, Macy’s lets website visitors shop without an account, but it still encourages them (by offering 25% off) to turn the info they just entered into an account. The Macy’s Magecart attackers saw this as another opportunity for their skimmer to harvest data, so they attacked this vulnerability too. So meticulous were they that their malicious script works differently for guests and registered users.

Attention to Detail

The domain name and server where the skimmer sent the stolen data were up on September 24. The malicious script was injected into Macys.com on October 7 and was taken down by the company’s security team on October 15 after it noticed potentially malicious traffic.

The domain name used for data collection resembled a trusted third-party service used by Macy’s website so it would be almost indistinguishable from normal traffic. The script encoded the stolen information several times and then sent it to the Macy’s Magecart attackers’ servers so that traffic analysis systems would struggle to spot it. The skimmer also marked the data according to where it had been stolen from—the wallet page, guest checkout or a registered user.

What Can You Do?

In this case, the takeaway message was that bad actors were able to exploit website design and operations processes that did not pay sufficient attention to unauthorized or insecure third-party code. But Reflectiz offers strong security that helps you easily spot weak authentication, misconfigurations, and data leakage or exposure originating from third-party assets you control, even when these problems don’t come from within your network. You can configure a defense posture that suits your business situation, and when any action diverges from that norm, you will receive an immediate alert about the risk and it will be blocked.

A platform like Reflectiz is sophisticated enough to ensure consumer privacy and safeguard data on both the server and client sides to keep you one step ahead of ever more sophisticated online attacks. 

Take control

Stay up to date with the latest news and updates

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free