Macy's has announced that they have suffered a data breach due to their web site being hacked with malicious scripts that steal customer's payment information.

This type of compromise is called MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.

According to a 'Notice of Data Breach' issued by Macy's, their web site was hacked on October 7th, 2019 and a malicious script was added to the 'Checkout' and 'My Wallet' pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker's control.

"On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page - if credit card data was entered and “place order” button was hit; and (2) the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019."

As part of this breach, attackers were able to access customer information and credit card information that includes the customer's first name, last name, address, city, state,zip, phone number, email address, payment card number, payment card security code, and payment card month/year of expiration if submitted on a compromised page.

Macy's states that they were alerted to this hack on October 15th, 2019, a full week after the site was breached and attackers were collecting payment information.

After the web site was cleaned, Macy's notified law enforcement and hired "a leading class forensics firm" to help with their investigation. They have also contacted all relevant credit card brands including Visa, American Express, Discover, and Mastercard to notify them of this breach.

Macy's told BleepingComputer that only a small amount of customers were affected and that they instituted additional security measures so this does not happen again.

"We are aware of a data security incident involving a small number of our customers on Macys.com," Macy's told BleepingComputer in a statement. "We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost."

Macy's has started sending out emails to those who were affected and advise them to monitor their credit card statement for suspicious or fraudulent activity. If anything is detected, consumers should immediately contact their credit card company and dispute the charge.

Macy's is also offering all users who were affected by this breach a free year of the Experian IdentityWorks credit monitoring service. Users will be able to sign up with the enclosed instructions and unique ID assigned to them.

The Magecart attack

A researcher who wishes to remain anonymous at this time, reported the Magecart attack to Macy's and shared some of its details with BleepingComputer.

When the attackers compromised the Macy's website, they altered the https://www.macys.com/js/min/common/util/ClientSideErrorLog.js script to include an obfuscated Magecart script.

Obfuscated Magecart Script

The researcher told us that when a customer submitted their payment information, this script would launch and send the submitted information to a command and control server at Barn-x.com/api/analysis.php.

The attackers could then access any stolen payment information by logging into the command and control server.

Update 11/18/19: Added information about the magecart script and the C2 server.