The online store for American gun manufacturer Smith & Wesson fell victim to a Magecart attack that’s designed to steal customers’ payment data.

Willem de Groot of Sanguine Security learned that a particular Magecart group had been impersonating his employer and abusing his name as a contact to register domain names.

While investigating this group, de Groot observed that the attackers had compromised Smith & Wesson’s online store before Black Friday with a script from live.sequracdn[.]net/storage/modrrnize.js.

In its verification of de Groot’s findings, Bleeping Computer found that the script was sometimes difficult to spot depending on the visitor and what section of the compromised store they visited:

For most of the site, the loaded JavaScript file looks like a normal 11KB and non-malicious script.

However if you are using a US-based IP address, non-Linux browsers, not on the AWS platform, and at the checkout page, the script being delivered changes from 11KB to 20KB, with the Magecart portion appended to the bottom as shown below.

That 20KB script, in turn, loaded a fake payment form that sent customers’ information to https://live.sequracdn[.]net/t/, a server under the attackers’ control.

A video of the compromise in action can be found below.

Smith & Wesson isn’t the only retailer whose online store has suffered a Magecart attack this year. Illustrating this fact, Malwarebytes revealed that it had detected and blocked over 65,000 attempts to steal credit card information from online stores compromised in a Magecart attack during July 2019.

Customers of Smith & Wesson should carefully review their payment card account statements for suspicious activity. If they spot anything abnormal, they should report those charges to their card issuer as soon as possible.

Simultaneously, retailers should consider investing in a sophisticated security solution that can help them better protect (Read more...)