Card skimming malware removed from Infowars online store

Infowars online store hit by brief Magecart incident that lasted around 24 hours. Less than 1,600 users may have been affected.
Written by Catalin Cimpanu, Contributor

Malware capable of secretly recording payment card details was removed today from the Infowars online store after ZDNet reached out to the company's staff.

The malware, categorized as a generic Magecart infection, was spotted earlier today during a cursory scan by Dutch security researcher Willem de Groot.

Less than 1,600 users affected

The malware works by recording payment card details entered inside store checkout forms and then sending the data to remote servers.

Infowars owner Alex Jones told ZDNet that "only 1,600 customers may have been affected," but the number may be even smaller as some of these customers placed re-orders.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

"Our customer-supporter base is being contacted so they can watch for any unusual charges to their account and rectify them," Jones told ZDNet in an emailed statement --embedded in full at the bottom of this article.

Malware active roughly 24 hours

De Groot spotted the malware infection on the Infowars online store using a powerful malware scanner that he built a few years back and which is specialized in detecting vulnerabilities and infections in online stores built on top of the Magento e-commerce platform.

"I have not detected any other malware on this site in the past 3.5 years," de Groot told ZDNet in an interview today. "The first detection was on 2018/11/12 21:37:07 UTC. It was added in the previous 24h," de Groot said, referring to today's discovery of the malicious JavaScript code.

The malware that de Groot found was hidden inside a modified block of Google Analytics code.


This piece of code --also referred to as a card skimmer, or skimmer-- was present on all Infowars store pages, but it only activated during the checkout process.

The malicious code scraped all content found inside the checkout form fields every 1.5 seconds and sent the collected data to a remote server located at google-analyitics[.]org, hosted in Lithuania, de Groot told ZDNet after we asked the researcher to analyze the code.

A deobfuscated version of the malicious code can be found here.

A new Magecart group?

Earlier today, two cyber-security firms, RiskIQ and Flashpoint, published a 60-page report on Magecart-like attacks on the e-commerce industry. The report, summarized in this ZDNet piece, presented the tactics and histories of seven different cyber-criminal operations that have deployed Magecart-like card skimming malware on online stores in the past four years.

"The coding style is unlike any of the groups described in the RiskIQ report," de Groot said, suggesting this may be a totally new operation.

"It's a popular campaign, there are right now another 100 of (typically large) stores with the same malware," the researcher added.

"While the code contains a stealth mode to evade detection - comparable to RiskIQ's Group 4 - the implementation is broken. There are several other mistakes in the code and the applied obfuscation is very basic, which is unlike Group 4's methods.

"While the shoddy implementation suggests an amateurish actor, the profile of its targets are above average. Several of its victims are running Magento Enterprise, which is usually very well secured. This suggests the attacker is more skilled in hacking into servers than writing Javascript code," de Groot said.

Albeit the Dutch researcher shared technical details on how the Infowars store was infected with the card skimmer, ZDNet will refrain from publishing such information to avoid putting future Infowars customers at unnecessary risk.

This is because even the smallest mistake in patching compromised stores can lead to re-infection. Just yesterday, de Groot published research revealing that one in five online stores that suffered a Magecart infection were reinfected, at least once.

The full Alex Jones statement is available below:

This criminal hack is an act of industrial and political sabotage. The corporate press is claiming that a Magento plugin to the shopping cart was the point of entry, but that is not true. Infowarsstore.com has never installed that plugin. We use some of the top internet security companies in the nation and they have reported to us that this is a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies.

Magento's top security people have done a site-wide scan and found no security vulnerabilities. And we believe security features we will not mention, appear to have blocked them from getting anyone's credit card numbers.

The hack took place less than 24 hours ago; it is undoubtedly the hacker or hacker group that then reported this to the establishment corporate press in an attempt to scare business away from Infowarstore.com.

Only 1600 customers may have been affected. Most of those were re-orders so their information would not be accessible. Nevertheless, our customer-supporter base is being contacted so they can watch for any unusual charges to their account and rectify them.

Bottom line: this latest action is a concerted effort to de-platform Infowars by big tech, the communist Chinese, and the Democratic party who have been publicly working and lobbying to wipe Infowars from the face of the earth.

In summation, America is under attack by globalist forces and anyone standing up for our republic will be attacked mercilessly by the corporate press, Antifa and rogue intelligence operatives. Infowars will never surrender!

Related cybersecurity coverage:

Best Black Friday 2018 deals:

Editorial standards