With Black Friday looming and the opening of the holiday shopping season at our doorstep, U.S. department store chain Macy’s announced earlier this week that some of its customers’ online payment information was skimmed in another Magecart web skimming attack.
In a breach notice sent to customers, the company explained that a web skimmer was discovered on Macys.com collecting customers’ payment card details. The notice went on to say that “an unauthorized third party added unauthorized computer code” to the Macy’s website on Oct. 7. This code, which was discovered and removed on Oct. 15, was gathering sensitive personal information, such as names, addresses, phone numbers, email addresses, and payment card information (including the number, security code, and expiration dates).
This attack is just the latest in a string of web skimming attacks that are becoming increasingly popular with cybercriminals. In fact, the FBI recently issued a warning for both public and private enterprises in the United States, warning them about the dangers of e-skimming attacks like those carried about by Magecart.
What is a Magecart attack?
Magecart refers to a loose affiliation of attack groups that use web skimming, or e-skimming, to carry out attacks on websites — typically targeting payment card details by inserting web skimming code to monitor and steal sensitive information like names, birth dates, or credit card numbers. Attackers often infect third-party scripts with malicious virtual skimmers that will run in the browser when a page is loaded, monitoring data being entered into form fields and sending it back to attackers.
Magecart attacks have been disclosed at Ticketmaster, British Airways, and Newegg — and earlier in the year, it was reported that Magecart has infected over 2 million websites and has directly breached at least 18,000 domains.
What happened during the Macy’s attack?
It is not currently known how many people were affected by the payment-card attack, but it’s important to look at what went wrong to try and avoid the same mistakes.
An anonymous security researcher investigating the attack told Bleeping Computer that attackers altered the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script in order to include the Magecart code. This code executed any time a customer submitted their payment details, sending payment information to a remote server owned by the attackers, hosted at Barn-x.com.
In addition, web skimming attacks are nearly impossible for web teams to identify because they are taking place beyond the security edge, directly in the visitor’s browsers. This means that the data exfiltration takes place in the browser without ever interacting with an organization’s website server, leaving traditional security solutions like web application firewalls in the dark.
Traditional techniques like traffic inspection and auditing won’t detect a breach when it’s happening — meaning most Magecart attacks are only discovered after the damage has already been done.
For a Magecart attack to be successful, there is usually a chain of failure starting with either a server being exploited or third-party hosting resources being compromised. While many organizations put protections in place to prevent such breaches, flaws happen and holes exist. When an attacker finds a hole and injects their malicious code, there will often be a period of time before the attack is discovered where customer data is being stolen.
Avoid being caught up in the holiday fraud spike — protect your website against third-party vulnerabilities
Magecart attacks aren’t slowing down — especially with the holiday shopping season fast approaching. But that doesn’t mean you have to wait around and allow your customers’ data to be stolen by Magecart.
After all, you can’t steal what you can’t see.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Andy Wyatt. Read the original post at: https://www.instart.com/blog/macys-magecart-protection