Magecart Could Ruin Your Holiday

Sue Poremba
Nov 25 · 3 min read

Did you know Macy’s website suffered a hack recently? Maybe not. We’re becoming numb to data breaches and hacked websites, so much so that unless it is something that impacts hundreds of millions of people (like Equifax and Yahoo) or compromises all of your personal information (like the Office of Personnel Management), you’ll never hear about it in mainstream media. And the Macy’s breach was small compared to most.

“Every cloud has a silver lining. Macy’s has so few online customers buying from their website that ‘only a small amount of customers were affected,’” Colin Bastable, CEO of security awareness training company Lucy Security, said in an email comment (ouch!).

However, the Macy’s breach should serve as a warning to both businesses and to customers. The threat of an ecommerce website hack over the holiday shopping season is real and could ruin your holiday. As Bastable also pointed out, “ the hackers will not be too disappointed that they only infected two pages on macys.com, given that those were the checkout and wallet pages.”

Electronic Card Skimming

You may be familiar with card skimming. Bad guys put a difficult-to-detect device on a credit card reader, so when you swipe your card, the device steals the information from the magnetic strip. They are most common on gas pumps and ATMs.

You’d think skimming wouldn’t be an issue with online purchases, but hackers have figured out a way. They do it with a piece of credit-card skimming malware called Magecart that, according to Forbes, has infested thousands of ecommerce websites.

Magecart isn’t new — it has been around for years — but hackers have only recently begun to understand how to use the malware to attack websites. As Dark Reading explained, supply chain sites or third-party shopping platforms are common gateways used to steal credit card data and other PII from websites.

If you are shopping online this holiday season — and you know you plan to — you need to be aware that your credit card information is at risk from a type of attack you may not be familiar with.

“Online retailers like Macy’s are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards,” explained Elad Shapira, Head of Research at Panorays in an email comment. “For this reason, organizations must put processes in place to manage and review their susceptibility to the Magecart threat.Until they do so, Magecart’s stealthy and highly effective attacks will continue. Macy’s is simply the latest victim, but it definitely won’t be the last.”

As a consumer, you have no control over a website’s security, so proceed at your own risk. But you are responsible for making sure you track your PII and know if you are compromised.

“ Consumers affected should check their credit card statements and request a new one right away, to render the stolen credit card data useless. Once stolen, these card numbers are sold on the dark web for future fraudulent purchases,” said Justin Fox, Director of DevOps Engineering for NuData Security via email. “This has been evident in the month where NuData’s network has witnessed that credit card cycling (the action of testing stolen credit cards to see if they are still active) has increased by 158%.

“Unfortunately, these types of attacks are not going anywhere, and companies need to start verifying the legitimacy of their buyers using more information than credit card numbers or other personally identifiable information to prevent chargebacks and brand damage.”

This idea of companies verifying the identity of consumers is a topic that comes to the forefront with malware like Magecart, but it is something that interests me enough that I plan to look at the topic more in depth in 2020. So stay tuned!

Sue Poremba

Written by

Sue is a cybersecurity writer based in Central PA. Her posts are written for non-techies because everybody needs to follow basic cybersecurity practices.