What Happened?
Fraudsters are warming up for the holidays, targeting household names through e-commerce site hacking and credential stuffing attacks. On November 19, 2019, news broke that Macy’s e-commerce site was infiltrated by a third party, embedding malicious code into Macy’s online checkout page.
These bad actors also placed their skimming code on the Macy’s Wallet page, used by account holders to store payment credentials. This malware collected names, full addresses, phone numbers, email addresses, payment card numbers, card security codes, and payment expiration dates belonging to shoppers who made purchases through the Macy’s website over several weeks before it was identified and removed.
