Smith & Wesson data breach: Magecart hackers struck gold on Black Friday

Security firm Sanguine Security has revealed that hackers based in Russia recently impersonated its domain and used fake domains as a cover to inject malicious code into the website of gun manufacturer Smith & Wesson to skim payment card details from the site's checkout page.

The security firm, which specializes in e-commerce fraud protection services, recently discovered that hackers had injected a malicious script into the website of Smith & Wesson which, at first look, appeared to belong to the security firm.

While Sanguine Security owns the domain sansec.io, the hackers created fake domains such as sansec.us and sanguinelab.net to carry out their information-skimming campaign.

YOU MAY ALSO LIKE:

Even though the impersonating domain sansec.us was registered to Sanguine Security's researcher William de Groot and featured a Netherlands address to appear genuine, the name servers associated with the domain were "ns1.reg.ru" and "ns2.reg.ru", leaving no doubt as to who operated the fake domain.

Magecart hackers impersonated security firm's domain to target Smith & Wesson

The use of a security firm's script within the code of a website would ideally give the impression that the script is being run by the security firm to ensure the website's security. It appears the hackers intended to impersonate the security firm's domain to evade detection by Smith & Wesson or by White Hat researchers.

Researchers at Sanguine Security observed the presence of the malicious script, namely "live.sequracdn.net/storage/modrrnize.js" on Smith & Wesson's website on 27 November and found that the script continued to remain on the site until 3 December, indicating that hackers may have used it to skim payment card information from the checkout page on Black Friday.

"The loader at live.sequracdn.net/storage/modrrnize.js serves some innocent code, until you start the actual payment process. It only works for US-based IPs, using non-Linux browsers, and not using the AWS platform," the firm said, adding that the loader's file size changed from 11 to 20 KB upon entering the checkout section.

Upon analysing the malicious script, the firm found that the skimmer featured multiple anti-reverse engineering methods such as devtools, Amazon AWS, country & Linux detection, a three-stage loader, and as many as four layers of Javascript obfuscation to avoid detection.

At the third stage of infection, the malicious script constructed a fake payment form and loaded a file named "https://live.sequracdn.net/storage/mk.js" that contained the actual exfiltration code. Once visitors to the website entered their payment information on the checkout page, the file intercepted such information and sent them to https://live.sequracdn.net/t/.

"The Magecart attack [and its vectors] are well known for almost a decade, but now their sophistication and complexity are rapidly evolving, making it an arduous task to detect them. Oftentimes, malicious scripts will remain unnoticed by automated security scanning, disguising themselves as innocent third-party JavaScript," said Ilia Kolochenko, founder and CEO of ImmuniWeb.

"Given the multitude of external content on modern web pages, especially on the e-commerce websites, it’s extremely complicated to maintain an up to date inventory of legitimate external scripts and trackers."

Even though the skimming code was removed from the website on 3 December, Smith & Wesson are yet to issue any statement or provide any update with reference to the malicious code that was designed to steal payment card information from its website.

Magecart hackers continuing with their highly-successful skimming techniques

The technique used by hackers in this operation was quite similar to techniques used by Magecart hackers to inject malicious code into websites owned by e-commerce firms and well-known brands and exfiltrate payment card information and other details from their checkout pages.

The latest such incident took place just prior to 23 October which involved hackers injecting malicious Javascript code into the website of French fashion retailer Sixth June to skim payment card details from the checkout page.

The malicious code injection was observed by a security researcher from RapidSpike who said that hackers who inserted the malicious JavaScript code named 'apiV3.js' into the checkout page of Sixth June's website loaded it from a domain named 'Mogento[.]info that mimicked Magento's website. This could have been done to make coders believe that the code was not a malicious one but was introduced by the e-commerce service provider.

The researcher also told Bleeping Computer that hackers used a fake Google Tag Manager snippet to hide the malicious activity and that the skimming code captured details like name of cardholders, card numbers, expiration dates, and CVV numbers- all details necessary to carry out an unauthorised online purchase.

MORE ABOUT: