Cyber Incident Victim: Smith & Wesson
Date:
Nov 2019
Location:
United States of America
Summary
Smith & Wesson's online store was compromised via a Magecart attack involving malicious JavaScript injection into checkout pages, dynamically loading scripts from an attacker-controlled domain to steal payment information. The script selectively targeted US-based non-Linux users not on AWS infrastructure, displaying fraudulent payment forms that captured and exfiltrated customer data to external servers, enabling potential financial fraud. Security researchers independently confirmed the compromise, noting the attackers impersonated legitimate entities to host malicious infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late November 2019, attackers compromised Smith & Wesson's e-commerce website (smith-wesson.com) to deploy payment card-stealing malware. Security researcher Willem de Groot identified the breach while tracking a Magecart group that had registered domains impersonating his firm, Sanguine Security. The attackers injected malicious JavaScript from the domain live.sequracdn[.]net/storage/modrrnize.js into the checkout page. The script employed sophisticated evasion techniques, delivering a benign 11KB file to most visitors while activating a 20KB malicious payload only under specific conditions: when accessed from US IP addresses, non-Linux browsers, non-AWS infrastructure, and exclusively during checkout. This conditional loading mechanism aimed to bypass security scans and target genuine customers. The malicious script replaced legitimate payment forms with fraudulent versions that captured and exfiltrated credit card details to the attackers' server at https://live.sequracdn.net/t/. Evidence indicated the compromise occurred prior to Black Friday (November 29, 2019), positioning the attack to maximize victim exposure during peak shopping activity.
The incident exposed customers who entered payment details on Smith & Wesson's checkout page to financial fraud. BleepingComputer independently verified de Groot's findings, confirming the script's behavior changed dynamically based on user context. Stolen data was transmitted to attacker-controlled infrastructure, enabling unauthorized access to payment credentials. Attempts to notify Smith & Wesson's parent company, American Outdoors Brand Corporation, and company executives went unanswered before publication on December 2, 2019. Affected customers were advised to monitor credit card statements for fraudulent charges and contact financial institutions. The attackers' use of infrastructure mimicking a legitimate security firm and their evasion tactics demonstrated deliberate targeting of e-commerce environments. No information was disclosed regarding subsequent containment measures or forensic investigations by the company.