American gun manufacturer Smith & Wesson's online store has been compromised by attackers who have injected a malicious script that attempts to steal customer's payment information.

This type of attack is called Magecart and is when hackers compromise a web site so that they can inject malicious JavaScript scripts into ecommerce or checkout pages. These scripts then steal payment information that is submitted by a customer by sending it to a remote site under the attacker's control.

According to Sanguine Security's Willem de Groot, a Magecart group has been registering domain names named after his company and utilizing his name as the domain contact.

Magecart actors impersonating Sanguine Labs

When researching this group and other sites that they have compromised, de Groot discovered that the web site for Smith & Wesson had been compromised some time before Black Friday to include a similar script from this group.

This time, though, the script injected into smith-wesson.com is coming from the URL live.sequracdn[.]net/storage/modrrnize.js as shown below.

Magecart script loading on smith-wesson.com

This script is not easy to spot as it will load a non-malicious or malicious script depending on the visitor and section of the site being visited.

For most of the site, the loaded JavaScript file looks like a normal 11KB and non-malicious script.

However if you are using a US-based IP address, non-Linux browsers, not on the AWS platform, and at the checkout page, the script being delivered changes from 11KB to 20KB, with the Magecart portion appended to the bottom as shown below.

Magecart version of modrrnize.js loaded

When this script is loaded, during checkout a fake payment form will be shown.

Fake payment form

If a customer enters their payment information in this form and submits it, the payment information will first be sent to https://live.sequracdn.net/t/ , which is a server that belongs to the attackers.

The attackers can then log into their server and retrieve the stolen payment information.

In tests by BleepingComputer, we have been able to independently confirm de Groots findings and as the video below shows, the size and contents of the live.sequracdn[.]net/storage/modrrnize.js script changes depending on what section of the site you are on.

If you have recently shopped at smith-wesson.com and entered payment information, you need to contact your credit card company and monitor your statements for suspicious or fraudulent charges.

BleepingComputer has attempted to contact American Outdoors, the owner of Smith & Wesson, Smith & Wesson, and executives from the company in order to warn them of this compromise, but had not heard back prior to publishing this article.