Security firm Sanguine Security has revealed that hackers based in Russia recently impersonated its domain and used fake domains as a cover to inject malicious code into the website of gun manufacturer Smith & Wesson to skim payment card details from the site's checkout page.
The security firm, which specializes in e-commerce fraud protection services, recently discovered that hackers had injected a malicious script into the website of Smith & Wesson which, at first look, appeared to belong to the security firm.
While Sanguine Security owns the domain sansec.io, the hackers created fake domains such as sansec.us and sanguinelab.net to carry out their information-skimming campaign.
Even though the impersonating domain sansec.us was registered to Sanguine Security's researcher William de Groot and featured a Netherlands address to appear genuine, the name servers associated with the domain were "ns1.reg.ru" and "ns2.reg.ru", leaving no doubt as to who operated the fake domain.
Magecart hackers impersonated security firm's domain to target Smith & Wesson
The use of a security firm's script within the code of a website would ideally give the impression that the script is being run by the security firm to ensure the website's security. It appears the hackers intended to impersonate the security firm's domain to evade detection by Smith & Wesson or by White Hat researchers.
Researchers at Sanguine Security observed the presence of the malicious script, namely "live.sequracdn.net/storage/modrrnize.js" on Smith & Wesson's website on 27 November and found that the script continued to remain on the site until 3 December, indicating that hackers may have used it to skim payment card information from the checkout page on Black Friday.
"The loader at live.sequracdn.net/storage/modrrnize.js serves some innocent code, until you start the actual payment process. It only works for US-based IPs, using non-Linux browsers, and not using the AWS platform," the firm said, adding that the loader's file size changed from 11 to 20 KB upon entering the checkout section.
At the third stage of infection, the malicious script constructed a fake payment form and loaded a file named "https://live.sequracdn.net/storage/mk.js" that contained the actual exfiltration code. Once visitors to the website entered their payment information on the checkout page, the file intercepted such information and sent them to https://live.sequracdn.net/t/.
"Given the multitude of external content on modern web pages, especially on the e-commerce websites, it’s extremely complicated to maintain an up to date inventory of legitimate external scripts and trackers."
Even though the skimming code was removed from the website on 3 December, Smith & Wesson are yet to issue any statement or provide any update with reference to the malicious code that was designed to steal payment card information from its website.
Magecart hackers continuing with their highly-successful skimming techniques
The technique used by hackers in this operation was quite similar to techniques used by Magecart hackers to inject malicious code into websites owned by e-commerce firms and well-known brands and exfiltrate payment card information and other details from their checkout pages.
The researcher also told Bleeping Computer that hackers used a fake Google Tag Manager snippet to hide the malicious activity and that the skimming code captured details like name of cardholders, card numbers, expiration dates, and CVV numbers- all details necessary to carry out an unauthorised online purchase.