Macy’s Website Hit by E-Skimming Attack

Macy’s recently disclosed that its official website was the victim of an e-skimming attack resulting in unauthorized access to the personal information of its customers.

Macy’s, in its data breach notice, said that on October 15, 2019, it became aware of a suspicious connection between macys[dot]com and another website. Further investigation of this suspicious connection revealed that a malicious actor added malicious code into two web pages of the company’s website: (1) the checkout page where credit card data is entered and where “order” button is located; and (2) the wallet page which can be accessed through the customer’s “My Account”.

Macy’s said the malicious code injected into the two web pages of the company’s website allowed the malicious actor to steal information submitted by customers on the said web pages. The company said that the malicious code was removed on October 15, 2019.

The company added that the information captured and stolen via the malicious code includes first name, last name, address, phone number, email address, payment card number, payment card security code and payment card expiration. The company clarified that the company’s mobile app wasn’t affected by this attack.

What Is E-Skimming Attack?

The injection of malicious code into the two web pages of the official website of Macy’s is an example of an e-skimming attack. In this type of cyber-attack, a malicious actor adds skimming code on payment card processing web pages of e-commerce websites in order to capture payment card and personally identifiable information.

Captured data is then sent to the command-and-control server, also known as C&C or C2, controlled by the malicious actor. C&C or C2 can be in the form of a website or cloud-based services, such as webmail and file-sharing services. Stolen payment card information and other personally identifiable information are either sold or used for other fraudulent activities.

The e-skimming attack on Macy’s has been linked to Magecart – the collective name given to the groups responsible for adding malicious code on compromised e-commerce websites. A security researcher, who wishes to remain anonymous, linked the attack back to Magecart and shared some of the details of the attack with BleepingComputer.

According to the security researcher, the attackers compromised Macy’s website by altering https://www[dot]macys[dot]com/js/min/common/util/ClientSideErrorLog[dot]js script to include a Magecart code. The researchers said the Magecart code allowed the attackers to capture the payment information submitted by customers and this captured information was then sent to the command and control server at Barn-x[dot]com/api/analysis[dot]php.


Pipka is an example of malicious code used by attackers in e-skimming attacks. Visafirst reported about this malicious code just this month.

According to Visa, at least 16 e-commerce websites had been compromised with Pipka in which the malicious code is added directly into sections of the targeted e-commerce websites that accept user input. This malicious code allows the attackers to harvests the data entered by customers and harvested data is then sent a command and control server.

Visa said Pipka exhibits unique features that are never before seen in the wild such as the ability to remove itself from the HTML code after it’s successfully executed, enabling it to avoid detection. Pipka also avoids detection through a self-cleaning feature. “The clear function locates the skimmer’s script tag on the page and removes it,” Visa said. “Since this happens immediately after the script loads, it is difficult for analysts or website administrators to spot the code when visiting the page.”

Visa added that Pipka hides its exfiltration – the process of sending the harvested data to the command and control server. “Skimmed data is exfiltrated using an image GET request, similar to several other JavaScript skimmers,” Visa said. “However, instead of loading and then immediately removing the image tag, Pipka sets the onload attribute of the image tag. The onload attribute executes supplied JavaScript when the tag is loaded, in this case the JavaScript removes the image tag once it is loaded.”

Visa, however, didn’t mention how attackers were able to add Pipka into the targeted e-commerce websites.

Preventive and Mitigating Measures Against E-Skimming Attacks

Below are the common ways attackers are able to inject malicious code into e-commerce payment card processing web pages.

  1. Network Access

Attackers gain access to the victim’s network that has access to the target e-commerce website via phishing email or by brute-forcing administrative credentials.

Preventive/Mitigating Measures:

Use email solutions that automatically block phishing emails; use strong passwords; use multi-factor authentication; practice network segmentation to prevent attackers from moving from one computer to another

  1. Third-Party Software Compromise

Compromising third-party software that’s added to the target website is another way by which attackers launch e-skimming attacks. Attackers, for instance, add the skimming code into the third-party software such as those that provide online advertisements and web analytics.

Preventive/Mitigating Measures: Closely vet third-party software integrated into websites

  1. Cross Site Scripting (XSS)

Exploiting a security vulnerability on the e-commerce website is another way by which attackers launch e-skimming attacks. One of the security vulnerabilities often exploited by attackers is cross site scripting (XSS) – a security vulnerability in websites or web applications that accept user input, which includes checkout web page.

Preventive/Mitigating Measures: Patch dangerous web application vulnerabilities, restrict user input to a specific whitelist and use a web application firewall (WAF)

When you need help protecting your organization against cyberattacks, our experts are a phone call away. Call today (416) 920-3000 or email us at

Leave a Reply

Your email address will not be published. Required fields are marked *