Macy’s Customer Payment Info Stolen in Magecart Data Breach
Macy’s has announced that they have suffered a data breach due to their web site being hacked with malicious scripts that steal customer’s payment information.
Daniel Smith, Radware Security Researcher:
“Magecart is going to be a huge problem as we go into the black Friday/holiday shopping season. Magecart essentially works as a digital skimmer, harvesting personal and financial transitions from consumers while they shop online. Similar to ATM skimmers, digital skimmers target high traffic volume. Digital skimmers overall are expected to increase in use during the holiday season because of the high volume of shoppers in that timeframe.”
Mike Bittner, director of digital security and operations at The Media Trust:
“The challenge with preventing cross-site scripting attacks is identifying which code should be running on a site, which ones shouldn’t. Until site owners know all the domains that are called by code on their site, they won’t be able to distinguish who’s authorized to be there, and who isn’t. If they have an inventory of allowed digital vendors, they’ll be able to root out unauthorized actors like those behind barn-x.com. They need to take a left of left-of-breach approach. Only allow code from digital vendors you know. Treat everyone else as a potential threat. You’ll avoid making the headlines for all the wrong reasons.”
James McQuiggan, Security Awareness Advocate KnowBe4
“The success of the Magecart attack works by compromising the website through vulnerabilities or through a third-party vendor with access to sensitive data on the site. Organizations will want established policies and procedures to verify that internet-facing infrastructure is securely configured and patched up to date.
Secondly, organizations will need to restrict third-party vendors’ access to sensitive data. Having strong and robust third-party policies to restrict external access to sensitive information and only allow verified code or scripts to be executed will greatly reduce exposure. And if a breach does occur, the attacker’s opportunity to get data is severely impeded.
Macy’s customers should pay extra attention to emails sent to them regarding the Macy’s breach, as criminals will leverage the attack to get them to click on phishing links for false sites or open attachments that contain malicious software. Customers should monitor their credit accounts for any suspicious activities and close any accounts they do not recognize.”
From Richard Henderson, Head of Global Threat Intelligence, Lastline
“Will Macy’s see a drop in sales now that we know about this breach? Probably not. Will attacks on storefronts like this dissuade shoppers from shopping online? Again, probably not. People have either accepted the fact that these things are going to happen from time to time, and expect their banks and credit card brands to catch fraudulent use of their cards quickly, or they’ve become jaded by yet another retail breach. The pros of online shopping still far outweigh the cons.
Like any major retailer, there are many many moving parts in a large e-commerce site, and attackers know this. It can be very difficult to notice when things change. At the same time, you can be sure that the integrity of files will be something that Macy’s (and hopefully other retailers) take a good hard look at going forward to make sure they know the moment something changes in files like these.
The good news is that Macy’s says the impact was limited, and they (in relation to other major retail breaches in the past) were quick to respond and expunge the bad code once they became aware of it. One would expect that Macy’s learned some very hard lessons after this incident and I’d probably still shop online with them if they had something worth my shopping dollars.”