The company’s analysis shows a pivot to targeted, customized skimmers
RiskIQ sheds light on the breach of the Macy’s e-commerce platform, which may offer vital clues about the future of Magecart attacks.
Macy’s announced the breach on November 14th via a notice to customers but did not provide any analysis of the skimmer. According to RiskIQ, which has unique visibility into the JavaScript running on e-commerce sites via its global network of crawlers and sensors, the Macy’s incident could represent a pivot to more targeted attacks custom-built for the website functionality of selected targets.
Unlike more basic attacks that cause the majority of Magecart breaches and involve simple, often over-the-counter skimmers deployed to land on a wide range of targets, the attack on Macy’s was highly customized. In this attack, the skimmer was purpose-built to exploit the distinct construction of the Macy’s website to skim many different types of data. The skimmer intercepted and exfiltrated payment information, the target of most Magecart attacks, but also shipping data saved to customers’ personal Macy’s accounts. The theft of payment data outside of the checkout process was rarely seen in the wild before this attack.
“The nature of this attack, including the makeup of the skimmer and the skills of the operatives, was truly unique,” said RiskIQ Head Researcher Yonathan Klijnsma. “I’ve never seen a skimmer so meticulously constructed and able to play to the functionality of the target website.
Payment information combined with shipping and billing information creates a valuable package known on the black market as “fullz.”
Other insights in RiskIQ’s blog post include:
- The attack affected customers from October 7th through October 15th and included both the theft of payment information and general PII.
- The compromise was internal—someone had access to files on the webserver and strategically picked a file that would load onto the checkout and Macy’s Wallet pages.
- There were two targets for this skimmer, the checkout page and the Macy’s Wallet, a web interface in which customers can manage their payment methods. Because of how well-integrated this skimmer was, it could skim the data of users managing their payment methods in their Macy’s Wallet accounts.
- The ability for attackers to skim the Macy’s Wallet page is a momentous development for web skimming. Before this attack, having stored payment information was an effective way of avoiding skimming attacks.
- These Magecart operatives are highly experienced but don’t map to any known Magecart Group. We have yet to see stolen data from this breach go up for sale anywhere as of this writing.