Macy’s Parades Your Data

On October 15th, Macy’s security team had a rude awakening. They were alerted to a card skimming script. It was deployed in two parts of their web site -- the checkout and the ‘wallet’ pages. The wallet is used to add and remove customer credit cards.

Macy’s dived into the script injection and realized the attack had happened a week before the alert was received (October 7th). During the week the script was running, Macy’s was leaking personally identifiable information (PIIs), such as full names, addresses, emails, and card numbers, including expiration dates and even CVV codes, which is likely a major PCI violation. If you made a purchase on Macy’s website around October 7 - 15th, we highly recommend you have your bank reissue your card with a new number.

This sort of security breach is known as a Magecart attack. Magecart attacks work by skimming data using the client browser as the front door for consumer interactions. "Skimming" is a method used by attackers to capture sensitive information from online forms, such as passwords, email addresses, and credit card data. Magecart attacks have been recorded on thousands of websites, including Newegg, British Airways, Ticketmaster, and Forbes.

So how does this type of breach happen? Usually, it’s due to outdated, unpatched software, lack of controls and alerts around code changes on production systems, and running software in a production environment without performing a security audit on the software.

Magento, the WordPress partner the Magecart Attack was named after, recently once again patched a bunch of bugs in their software, including RCE, XSS, and CSRF vulnerabilities. Many of the recently compromised sites were running v1.5 through v1.9, while the most recent version of the software is 2.1.7 for the Community edition.

According to RISKIQ, Magecart skimmers ‘have appeared over two million times, and directly breached over 18,000 hosts.’ In order to reduce your fraud risk, consider using virtual credit card numbers, or a payment intermediary. Try to limit sending live, non-single-use credit card data across the network.

Looking at Magecart-style attacks from a business operations viewpoint we find them fascinating because there are often so many different departments that could have been part of timely mitigation or detection solutions. The DevOps side of the house should be patching 3rd party libraries, whomever is responsible for log review should see abnormal web GET or POST requests, the network team should see an increase in data exfiltration, and for sufficiently large organizations - or those where online transactions are a critical source of revenue - the fraud team should see unacceptable user activity. So there are lots of gates working against the adversary, yet Magecart-style attacks continue to be super effective for the attacker.

“Ensuring teams are fully versed in attacker methodology continues to be the smartest investment for anyone building revenue-generating services. It’s relatively easy to build beautiful web-based services. It’s harder to ensure they protect the company’s sensitive information and customer data if the product and support teams don’t know about common vulnerability classes, such as cross site scripting,” says Evan Dornbush, Point3 co-founder and CEO.