A Magecart group has compromised the website of American gun manufacturer Smith & Wesson by injecting malicious code designed to lift customers' payment data at checkout.
The incident was found by Sanguine Security's Willem de Groot, who was investigating payment skimmers impersonating Sanguine Security's anti-skimming service. He found attackers were registering malicious domains named after Sanguine and using his name as the registrant.
These fake skimmers have been used on several high-profile stores, including Smith & Wesson, de Groot explains in a blog post. Not all of the malware impersonates the Sanguine domain name; however, the major skimmers share identical code and infrastructure. Smith & Wesson was hit with a skimmer on Nov. 27, he says, and it was present when he published on Dec. 2.
The skimmer on this website is "exceptionally sophisticated" and contains multiple levels of obfuscation, each rendering a new anonymous function to complicate debugging, de Groot says. Most of the site's script is benign, though the Magecart code appears on the checkout page for visitors who use a US-based IP address and non-Linux browser and who aren't on AWS. In these cases, the file size changes from 11KB to 20KB upon visiting the checkout page.
When someone under these conditions goes to the checkout page, they are shown a fake payment form. The details they submit are exfiltrated to a server controlled by attackers.
Read more details here.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."