The US gunmaker Smith & Wesson was hacked late last month in a Magecart attack, attackers injected a malicious software skimmer.

A new Magecart attack made the headlines, the victim is the American gunmaker Smith & Wesson. The hack took place last month, the attackers planted a malicious software skimmer on its website to steal customers’ payment card data.

The hack was discovered by the researcher Willem de Groot from security firm Sanguine Security, the attackers planted the software skimmer on the Smith & Wesson e-commerce on November 27.

Stock listed gun maker @Smith_WessonInc got popped during Black Friday. Payment skimmer injected on Nov 27, still active (co-research by @AffableKraut)

The expert discovered that the software skimmer and the infrastructure identical to the campaign that impersonates Sanguine Security. Hacker registered skimming domains using de Groot name and disguises as Sanguine protection.

Willem de Groot@gwillem · 12h

Stock listed gun maker @Smith_WessonInc got popped during Black Friday. Payment skimmer injected on Nov 27, still active (co-research by @AffableKraut)

Sanguine Security Labs@eComscan
Skimming code & infrastructure is identical to the campaign that impersonates Sanguine Security. Hacker registered skimming domains in my name and disguises as Sanguine protection. https://twitter.com/eComscan/status/1200749626988662784?s=20 …

Alert: new Magecart skimmer campaign disguises as Sanguine protection. Domains: sansec[.]us, sanguinelab[.]net are used to funnel stolen payments.

The compromised Smith & Wesson online store loads malicious code from a domain set up by the attackers, the malicious code was designed to capture personal and financial information provided by the users on the checkout page.

At the time of writing the software skimmer is still present on the online store:

live.sequracdn[.]net/storage/modrrnize.js 

the script changes depending on the section of the site visited by the users.

“This script is not easy to spot as it will load a non-malicious or malicious script depending on the visitor and section of the site being visited.” reported BleepingComputer.

“For most of the site, the loaded JavaScript file looks like a normal 11KB and non-malicious script. However if you are using a US-based IP address, non-Linux browsers, not on the AWS platform, and at the checkout page, the script being delivered changes from 11KB to 20KB, with the Magecart portion appended to the bottom as shown below.”

The Smith & Wesson online store runs on Magento, attackers likely exploited a known vulnerability to compromise the system and inject the malicious code.

Earlier in November, Magento addressed a remote code execution vulnerability, tracked as CVE-2019-8144, that could allow unauthenticated attackers to deliver malicious payloads.

Users that have recently made purchases at smith-wesson.com are recommended to contact their credit card company and monitor your statements for suspicious activities.

In November, Macy’s started notifying some of its customers that crooks used a software skimmer to steal their personal and financial information.

Source: