Smith & Wesson Website Hacked using Magecart Exploit
If you’ve shopped at Smith & Wesson’s website lately, you might want to get in touch with your bank or credit card company. That’s because according to Sanguine Security Labs, the firearm giant’s ecommerce storefront recently fell victim to a rapidly-spreading form of webserver exploit known as Magecart. To clear up any confusion, the moniker “Magecart” is used to describe both the attack and the group behind the activity. Here, we will mostly use it to denote the former.
For the uninitiated, Magecart is a particularly nasty sort of targeted attack that abuses common coding frameworks to access sensitive customer data entered on ecommerce sites, usually at checkout. Bleeping Computer published a superb article Monday night explaining the Smith & Wesson breach, but it anticipates a level of domain knowledge that I wouldn’t expect most readers to possess. As an information security professional with experience in the retail industry, allow me to outline, in simplified terms, what exactly happened and why Magecart is so dangerous.
I think it’s safe to say that ecommerce is ubiquitous. There are literally thousands, if not millions, of ecommerce sites out there selling all sorts of products. Despite this diversity, there are only a handful of major ecommerce software platforms upon which these sites run. Therefore, many sites use the same (or similar) core code developed by a small collection of vendors. Examples of these platforms include IBM’s Websphere/Commerce on Cloud, Magento (used by Smith & Wesson and Magecart’s most-targeted platform), and WooCommerce for WordPress.
Each of the aforementioned solutions are, by default, relatively barebones. They’re extremely powerful and modular but are rarely ready to go straight “out of the box”. Functionality we typically expect from a quality website, like shipping calculation, product recommendations, and even “basic” features like searching and payment processing often must be added via custom code or with modules of code known as plugins/extensions. While the platforms themselves aren’t perfect, the real security risks start to crop up once customization begins.
Magecart group activity frequently affects third-party ecommerce plugins. From an attacker’s perspective, compromising third-party providers makes sense. Once a third-party tool or script has been adopted, few companies reassess the code’s behavior or check for changes. Secure code from approved third-party developers is more or less taken for granted. Thus, the trust established between a retailer and third-party service providers is extremely easy to abuse. Moreover, compromising a third-party service is appealing because a breach at that level potentially grants attackers access to code running on every site that leverages that service. It’s still unclear exactly how Magecart managed to modify Smith & Wesson’s storefront code, but there’s no clear evidence that a third-party tool was compromised.
Why it Matters
It’s worth noting that at this point, there is no reason to believe that Smith & Wesson’s breach is in any way motivated by Second Amendment politics. Past Magecart victims include British Airways, electronics retailer Newegg, and Ticketmaster. The consortium of hacker groups associated with Magecart stepped up exploit activity across the web just prior to Black Friday and retailers of all sorts are scrambling to protect themselves from Magecart-based attacks.
For customers, the risk posed by Smith & Wesson’s compromise is clear. Code on the site (now removed) allowed criminal hackers to capture sensitive personal information and payment data that may later be used illegitimately. It’s too early to tell how many customers were affected by the breach and thus, the ramifications for Smith & Wesson aren’t fully clear. However, in response to Sanguine’s report, the company appears to have completely disabled checkout functionality on its website. While Smith & Wesson firearms are sold via distribution channels and are not available on the company’s ecommerce site, Smith is undoubtedly missing out on high-margin apparel and gear sales during the busiest shopping season of the year.
An information security professional by day and gun blogger by night, Nathan started his firearms journey at 16 years old as a collector of C&R rifles. These days, you’re likely to find him shooting something a bit more modern – and usually equipped with a suppressor – but his passion for firearms with military heritage has never waned. Over the last five years, Nathan has written about a variety of firearms topics, including Second Amendment politics and gun and gear reviews. When he isn’t shooting or writing, Nathan nerds out over computers, 3D printing, and Star Wars.