Posted on December 4, 2019 at 12:09 PM
With the recent clampdown on cyber attackers, it seems that the activities of hackers are not stopping anytime soon. This time, they have shifted their attention to American gun manufacturers, Smith & Wesson. The company’s website was the target of malicious code meant to steal customers’ payment card information.
The hackers installed a payment skimmer on the website of the gun manufacturer during the penultimate shopping weekend on Black Friday. The company stated that the code installed by the hackers is still active as of December 2.
This incident is one of the series of Magecart attacks that involved the injection of malware into e-commerce sites to get unauthorized access to users’ information and credit card details. Just last month, Macy reported a similar attack from the same malware. The company said there is a malicious code that attackers are using to access sensitive information from their customers and site users. Although the company has tried to resolve the issue, it has warned users against such attacks.
How the attacker infiltrates the website
BleepingComputer conducted a test that shows how the hacker infiltrates the gum manufacturer’s website to retrieve sensitive information of the user. The research company had even contacted Smith & Wesson to inform them about the security breach.
When the customer decides to enter his payment information, the user’s information will be delivered to the address of the hacker. Once that attacker has the user’s information, they can log into the server and get hold of the payment information. This is basically how the hacker gets hold of the user’s sensitive information through their credit card details on the payment platform.
The malicious code captures the financial and personal information of the customers and transfers the fills to the sender. Ironically, these hackers have been covering up with the Sanguine Security name to perpetrate the attack. According to Smith & Wesson, a forensic security analyst, the Skimmers usually hides under the guise of the Sanguine Security to retrieve information from its host. This is what makes it intractable and difficult to spot on time.
He further said that the hacker’ss choice of Sanguine Security was a deliberate one.
The hack has a close resemblance to the hacking job of a certain hacker group that specializes in Magecart attacks. In this type of attack, they draw information from the portal or online stores of their victims. The hackers draw information from these stores via the credit cards.
Smith & Wesson pointed out that the hackers took advantage of the security breach of the Magneto eCommerce portal to hack the gun manufacturer’s website. Recently, Magneto informed customers of a security vulnerability and warned customers of the breach. It asked customers to brace up by installing patches to block any exploitation from unauthorized users.
Malicious code still exists on the portal
Till today, the malicious code is still very active on the gun manufacturer’s website. The company has not yet found a way to delete or terminate its activities on the site. However, it assures its customers that the company is working hard to find a solution to the problem and get rid of the malware for good.
To prevent this type of attack, organizations have to implement security best practices by adopting important CIS controls.
The scrip is quite difficult to spot as it injects a malicious or non-malicious script, depending on the section of the site and the visitors. On any site it has infested, the JavaScipt resembles a non-malicious script and a normal 11KB script. This makes it a lot harder to spot because it looks genuine.
But those using the AWS platform, non-Linux browsers, or those using the US-based IP address, the delivered script will change from 11KB to 20 KB. When the user loads the script, a window showing a fake payment form will be revealed.