[BreachExchange] Smith & Wesson Web Site Hacked to Steal Customer Payment Info

Destry Winant destry at riskbasedsecurity.com
Tue Dec 3 10:07:03 EST 2019


American gun manufacturer Smith & Wesson's online store has been
compromised by attackers who have injected a malicious script that
attempts to steal customer's payment information.

This type of attack is called Magecart and is when hackers compromise
a web site so that they can inject malicious JavaScript scripts into
ecommerce or checkout pages. These scripts then steal payment
information that is submitted by a customer by sending it to a remote
site under the attacker's control.

According to Sanguine Security's Willem de Groot, a Magecart group has
been registering domain names named after his company and utilizing
his name as the domain contact.

When researching this group and other sites that they have
compromised, de Groot discovered that the web site for Smith & Wesson
had been compromised some time before Black Friday to include a
similar script from this group.

This time, though, the script injected into smith-wesson.com is coming
from the URL live.sequracdn[.]net/storage/modrrnize.js as shown below.

This script is not easy to spot as it will load a non-malicious or
malicious script depending on the visitor and section of the site
being visited.

For most of the site, the loaded JavaScript file looks like a normal
11KB and non-malicious script.

However if you are using a US-based IP address, non-Linux browsers,
not on the AWS platform, and at the checkout page, the script being
delivered changes from 11KB to 20KB, with the Magecart portion
appended to the bottom as shown below.

When this script is loaded, during checkout a fake payment form will be shown.

If a customer enters their payment information in this form and
submits it, the payment information will first be sent to
https://live.sequracdn.net/t/, which is a server that belongs to the

The attackers can then log into their server and retrieve the stolen
payment information.

In tests by BleepingComputer, we have been able to independently
confirm de Groots findings and as the video below shows, the size and
contents of the live.sequracdn[.]net/storage/modrrnize.js  script
changes depending on what section of the site you are on.

If you have recently shopped at smith-wesson.com and entered payment
information, you need to contact your credit card company and monitor
your statements for suspicious or fraudulent charges.

BleepingComputer has attempted to contact American Outdoors, the owner
of Smith & Wesson, Smith & Wesson, and executives from the company in
order to warn them of this compromise, but had not heard back prior to
publishing this article.

More information about the BreachExchange mailing list