If you recently bought something from Smith & Wesson on Black Friday, watch out. The gun manufacturer's website has been spotted hosting computer code that can steal your credit card details and forward it to hackers.

The code was injected into the Smith & Wesson's website on Nov. 27 and remained there until Tuesday morning, according to fraud detection company Sanguine Security, which first noticed the "payment card skimming" attack.

The data collection works via a Javascript program that'll run when a US-based browser loads the Smith & Wesson website. The program remains relatively dormant until the user goes to the checkout process, at which point the malicious Javascript will fully activate to create a fake payment form. Any payment card details entered will then be collected and sent off to a hacker-controlled website.

Stock listed gun maker @Smith_WessonInc got popped during Black Friday. Payment skimmer injected on Nov 27, still active (co-research by @AffableKraut) pic.twitter.com/eh8sokUi73 — Willem de Groot (@gwillem) December 2, 2019

The incident represents the latest "Magecart" attack involving the injection of malicious code into e-commerce websites to steal payment card details. Last month, Macy's reported that its website was hit with a similar attack; an "unauthorized party" added computer code to capture information on the macys.com checkout page.

In the case of Smith & Wesson, Sanguine Security's forensic analyst Willem de Groot told PCMag the attackers have been trying to add their credit card skimming code to at least a few dozen other websites. In the past, the hackers have been found using vulnerabilities in the Magneto e-commerce software to compromise their targets. But de Groot said the attackers can use a range of different tactics to try and crack a website's security.

Ironically, the hackers behind the Smith & Wesson scheme have been using Sanguine Security's own name to help them pull off their attacks. The credit card skimming code is hosted on two domains the hackers registered: sansec.us and sanguinelab.net. Adding insult to injury, the hackers managed to register the sansec.us domain using de Groot's name.

Smith & Wesson did not immediately respond to a request for comment. However, the malicious Javascript code is no longer on its website, suggesting Smith & Wesson finally took it down.

Although Smith & Wesson is best known for making firearms, its online store focuses on selling accessories, such as magazine pouches, bags, and cases. The same site will also forward users to registered gun dealers.

Further Reading

Security Reviews