Magecart Sets Sights on Smith & Wesson, Other High-Profile Stores

The infamous credit card-skimming group Magecart has struck again. After incidents in the past few months that saw the threat actor go after customers of online shops and hotel chains, the group has set its sights on a new set of targets: high-profile stores, including firearms vendor Smith & Wesson (S&W).

[READ: Magecart’s history of attacks also involved schools and advertising companies]

According to security researcher Willem de Groot of Sanguine Security, threat actors took advantage of the Black Friday rush by injecting credit card skimmers into the sites of a number of high-profile stores such as S&W. The group behind the attack injected the skimmer into S&W’s website on November 27 — a couple of days before Black Friday, most likely in anticipation of the high volume of traffic going to the website. Note that the skimmer has been removed from the S&W store as of the time of writing.

The skimmer features an impressive list of capabilities, such as reverse engineering, a three-stage loader, and multiple layers of JavaScript obfuscation to hide its tracks. When a user visits the compromised website, the command-and-control (C&C) server initially sends harmless code — up until the actual payment process, when the skimmer begins its malicious routine. To make the skimming attack look more legitimate, a fake payment confirmation code is presented to the user. Behind the scenes, however, malicious code is already running, sneakily exfiltrating customer data such as payment information to the C&C server.

Sanguine Security notes that these attacks only worked for users which met the following criteria:

  • Using U.S.-based IP addresses
  • Using non-Linux-based browsers
  • Not using the AWS platform

Recommendations and Trend Micro solutions

The rise of Magecart highlights the need for vendors and other organizations to properly secure their websites and applications. Data theft via an attack such as the ones regularly performed by Magecart can mean monetary losses, not only for customers but also for the company whose website or application was compromised, especially given the potentially steep fines meted out to violators of data privacy laws such as the General Data Protection Regulation (GDPR).  

Organizations can minimize the chances of compromise by consistently applying the newest patches and updates to the software they use and by shoring up the authentication mechanisms provided to customers. Furthermore, it is recommended that IT and security teams proactively monitor their websites for any sign of malicious activities, such as unauthorized access or data exfiltration.

The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking scripts and preventing access to malicious domains:


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.