The payment card breach that hit Macy’s online store in October was the result of a highly targeted and custom-built Magecart attack that could set the trend for web skimmers going forward, researchers believe.
On November 14, US department store chain Macy’s alerted customers of a security breach discovered in October on its website that led to the compromise of payment card details and customer information, including full names, addresses, telephone numbers and email addresses. At the time, the company described the breach as consisting of highly specific unauthorized code injected into the checkout and wallet pages on Macys.com with the goal of capturing information submitted by customers — in other words what the security industry calls a web skimming attack.
Not your everyday Magecart
According to a new analysis of the malicious code used that was published today by security firm RiskIQ, the script used was a highly customized Magecart skimmer made to integrate perfectly into Macy’s checkout process and customer relationship workflows. Magecart is a tool used by over a dozen attacker groups whose techniques vary in sophistication. However, this attack, even though clearly performed by hackers who are experienced in web skimming, doesn’t fit the modus operandi of any of the Magecart groups seen and tracked so far.
“In all the years that RiskIQ has been researching, analyzing, detecting and mitigating Magecart attacks, we’ve never observed a skimmer so customized as the one used to attack Macy’s,” the RiskIQ researchers said in their report. “Unlike the majority of Magecart skimmers, this skimmer could work only for the Macy’s website.”
Stored credit card information is now a target
Until now, one common aspect of almost all web skimming attacks was that they targeted the checkout processes because that’s where shoppers input their payment information. Injecting malicious code into a single page instead of the entire website, like is the case with other web-based malware, decreases the chances of the compromise being discovered, but on the other hand, it gave defenders a specific place to monitor and look for web skimming code.
The hackers who compromised Macys.com realized that there are multiple areas in an online shop where users can input card information and not targeting them as well is a wasted opportunity. One of such places is the wallet – an account section where users can configure payment cards to be used without manually inputting them in the future.
The problem is that when displayed in their wallet or when selecting an already stored payment card during checkout, the card numbers are usually masked by the websites and most digits are replaced by asterisks. To overcome this problem, the Magecart skimmer used on Macys.com was designed to hook into the wallet functions that handle editing, adding or removing payment cards.
“The ability for attackers to skim the Macy’s wallet page is a momentous development for web skimming,” the RiskIQ researchers said. “For the longest time, having stored payment information was an effective way of avoiding skimming attacks. The attackers targeting Macy’s took this as a challenge and made their skimmer multifaceted. It is not just a skimmer for a checkout process; it is a skimmer for valuable information, wherever it may be.”
New account credentials were also targeted
Like most online stores, Macy’s allows website visitors to shop without having a registered account. However, one of the steps in the guest checkout process encourages users to create an account from the information they just entered and even offers a 25% discount coupon as incentive.
The attackers saw this as an opportunity and customized their skimmer to also capture the new account registration data. In fact, the malicious script has checks in place and separate workflows for registered users and guests, showing the hackers put meticulous effort into planning their attack.
“It’s important to emphasize how well-planned and thorough this attack was,” the RiskIQ researchers said. “Magecart operatives spent a tremendous amount of time learning Macy’s website’s checkout process and customer journey. Ultimately, their goal was to customize their skimmer to integrate seamlessly into Macy’s e-commerce platform to skim information as efficiently as possible while staying undetected for as long as possible.”
Attention to detail
Data collected by RiskIQ suggests the infrastructure behind the attack, like the domain name and server where the skimmer sent the stolen data, was up on September 24. The malicious script itself was injected into Macys.com on October 7 and was removed on October 15 when the company’s security team was alerted about potentially suspicious traffic from the website.
The domain name chosen by the attackers for data collection was very similar to that of a legitimate third-party service that Macy’s websites uses in an attempt to blend in with normal traffic. The script encoded the stolen information several times before sending it back to the attackers’ servers to make it hard for any potential traffic analysis systems to spot it. The attackers also went to the trouble of marking the data differently based on where it was stolen from: guest checkout, registered user checkout or wallet page.
A sign of things to come
Web skimming has become a very popular and lucrative attack method for hackers, RiskIQ claiming to detect several new Magecart breaches per hour through its platform and having seen millions of attacks of this type to date. With that level of competition, attackers need to improve their tactics and stand apart from the crowd if they hope to score big.
“Highly targeted, highly technical breaches may become a trend,” the RiskIQ researchers warn. “We learned from the Macy’s breach that there are a variety of ways to attack the functionality of a website, and operatives with the right acumen and enough time will find them. In this case, the attackers unlocked the ability to skim saved payment information from customers, a capability rarely seen in the wild before this attack.”
Copyright © 2019 IDG Communications, Inc.