BreachExchange mailing list archives
Smith & Wesson Web Site Hacked to Steal Customer Payment Info
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 3 Dec 2019 09:07:03 -0600
https://www.bleepingcomputer.com/news/security/smith-and-wesson-web-site-hacked-to-steal-customer-payment-info/ American gun manufacturer Smith & Wesson's online store has been compromised by attackers who have injected a malicious script that attempts to steal customer's payment information. This type of attack is called Magecart and is when hackers compromise a web site so that they can inject malicious JavaScript scripts into ecommerce or checkout pages. These scripts then steal payment information that is submitted by a customer by sending it to a remote site under the attacker's control. According to Sanguine Security's Willem de Groot, a Magecart group has been registering domain names named after his company and utilizing his name as the domain contact. When researching this group and other sites that they have compromised, de Groot discovered that the web site for Smith & Wesson had been compromised some time before Black Friday to include a similar script from this group. This time, though, the script injected into smith-wesson.com is coming from the URL live.sequracdn[.]net/storage/modrrnize.js as shown below. This script is not easy to spot as it will load a non-malicious or malicious script depending on the visitor and section of the site being visited. For most of the site, the loaded JavaScript file looks like a normal 11KB and non-malicious script. However if you are using a US-based IP address, non-Linux browsers, not on the AWS platform, and at the checkout page, the script being delivered changes from 11KB to 20KB, with the Magecart portion appended to the bottom as shown below. When this script is loaded, during checkout a fake payment form will be shown. If a customer enters their payment information in this form and submits it, the payment information will first be sent to https://live.sequracdn.net/t/, which is a server that belongs to the attackers. The attackers can then log into their server and retrieve the stolen payment information. In tests by BleepingComputer, we have been able to independently confirm de Groots findings and as the video below shows, the size and contents of the live.sequracdn[.]net/storage/modrrnize.js script changes depending on what section of the site you are on. If you have recently shopped at smith-wesson.com and entered payment information, you need to contact your credit card company and monitor your statements for suspicious or fraudulent charges. BleepingComputer has attempted to contact American Outdoors, the owner of Smith & Wesson, Smith & Wesson, and executives from the company in order to warn them of this compromise, but had not heard back prior to publishing this article. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Smith & Wesson Web Site Hacked to Steal Customer Payment Info Destry Winant (Dec 03)