Macy's data breach caused by a customized Magecart attack, research finds

Dive Brief:

After Macy's disclosed a data breach last month, researchers from RiskIQ found the code was "a highly customized Magecart skimmer," according to a report from CSO based on RiskIQ research. The code was tailored to fit the retailer's "checkout process and customer relationship workflows."
RiskIQ determined the code compared to other Magecart skimmers and only applicable to Macy's. The skimmer was designed for more than the checkout process, targeting "valuable information," according to researchers.
The code targeted select pages of Macy's website, according to CSO. The hackers latched onto Macy's checkout and wallet page, enabling them to manipulate the editing controls protecting customer payment card numbers.

Dive Insight:

Magecart injects JavaScript into popular websites to skim for payment data through point-of-sale portals. The malware can check for card details and, once a validation is secured, the information is sent back to its operators.

"While digital skimmers have been around for years, the customized use of skimmers in attacks that target large e-commerce businesses is more recent. But what remains the same is what bad actors exploit: website design and operations processes that pay insufficient attention to insecure or unauthorized third-party code," said Mike Bittner, associate director of Digital Security and Operations for The Media Trust, in an email to sister publication CIO Dive.

The retailer did not disclose how many customers were impacted by the data breach, but California law requires a notification issue when at least 500 people are impacted, according to the breach notice from the office of California's attorney general.

The operators behind Macy's Magecart attack planted their code in Macy's JavaScript file, ClientSideErrorLog.js, according to RiskIQ. Researchers theorized the operators choose it for Macys.com checkout and customer wallet.

Bad configurations or poor security hygiene leave the "the same entry points" open for bad actors, said Bittner. If constant monitoring of third-party code is not done, "to keep out unauthorized activities, these attacks will continue simply because their success is almost guaranteed."