Card skimming malware removed from Infowars online store

Malware capable of secretly recording payment card details was removed today from the Infowars online store after ZDNet reached out to the company's staff.

The malware, categorized as a generic Magecart infection, was spotted earlier today during a cursory scan by Dutch security researcher Willem de Groot.

Less than 1,600 users affected

The malware works by recording payment card details entered inside store checkout forms and then sending the data to remote servers.

Infowars owner Alex Jones told ZDNet that "only 1,600 customers may have been affected," but the number may be even smaller as some of these customers placed re-orders.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

"Our customer-supporter base is being contacted so they can watch for any unusual charges to their account and rectify them," Jones told ZDNet in an emailed statement --embedded in full at the bottom of this article.

Malware active roughly 24 hours

De Groot spotted the malware infection on the Infowars online store using a powerful malware scanner that he built a few years back and which is specialized in detecting vulnerabilities and infections in online stores built on top of the Magento e-commerce platform.

"I have not detected any other malware on this site in the past 3.5 years," de Groot told ZDNet in an interview today. "The first detection was on 2018/11/12 21:37:07 UTC. It was added in the previous 24h," de Groot said, referring to today's discovery of the malicious JavaScript code.

The malware that de Groot found was hidden inside a modified block of Google Analytics code.

This piece of code --also referred to as a card skimmer, or skimmer-- was present on all Infowars store pages, but it only activated during the checkout process.

The malicious code scraped all content found inside the checkout form fields every 1.5 seconds and sent the collected data to a remote server located at google-analyitics[.]org, hosted in Lithuania, de Groot told ZDNet after we asked the researcher to analyze the code.

A deobfuscated version of the malicious code can be found here.

A new Magecart group?

Earlier today, two cyber-security firms, RiskIQ and Flashpoint, published a 60-page report on Magecart-like attacks on the e-commerce industry. The report, summarized in this ZDNet piece, presented the tactics and histories of seven different cyber-criminal operations that have deployed Magecart-like card skimming malware on online stores in the past four years.

"The coding style is unlike any of the groups described in the RiskIQ report," de Groot said, suggesting this may be a totally new operation.

"It's a popular campaign, there are right now another 100 of (typically large) stores with the same malware," the researcher added.

"While the code contains a stealth mode to evade detection - comparable to RiskIQ's Group 4 - the implementation is broken. There are several other mistakes in the code and the applied obfuscation is very basic, which is unlike Group 4's methods.

"While the shoddy implementation suggests an amateurish actor, the profile of its targets are above average. Several of its victims are running Magento Enterprise, which is usually very well secured. This suggests the attacker is more skilled in hacking into servers than writing Javascript code," de Groot said.

Albeit the Dutch researcher shared technical details on how the Infowars store was infected with the card skimmer, ZDNet will refrain from publishing such information to avoid putting future Infowars customers at unnecessary risk.

This is because even the smallest mistake in patching compromised stores can lead to re-infection. Just yesterday, de Groot published research revealing that one in five online stores that suffered a Magecart infection were reinfected, at least once.

The full Alex Jones statement is available below:

This criminal hack is an act of industrial and political sabotage. The corporate press is claiming that a Magento plugin to the shopping cart was the point of entry, but that is not true. Infowarsstore.com has never installed that plugin. We use some of the top internet security companies in the nation and they have reported to us that this is a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies.

Magento's top security people have done a site-wide scan and found no security vulnerabilities. And we believe security features we will not mention, appear to have blocked them from getting anyone's credit card numbers.

The hack took place less than 24 hours ago; it is undoubtedly the hacker or hacker group that then reported this to the establishment corporate press in an attempt to scare business away from Infowarstore.com.

Only 1600 customers may have been affected. Most of those were re-orders so their information would not be accessible. Nevertheless, our customer-supporter base is being contacted so they can watch for any unusual charges to their account and rectify them.

Bottom line: this latest action is a concerted effort to de-platform Infowars by big tech, the communist Chinese, and the Democratic party who have been publicly working and lobbying to wipe Infowars from the face of the earth.

In summation, America is under attack by globalist forces and anyone standing up for our republic will be attacked mercilessly by the corporate press, Antifa and rogue intelligence operatives. Infowars will never surrender!

Related cybersecurity coverage:

• US Cyber Command starts uploading foreign APT malware to VirusTotal
• States activate National Guard cyber units for US midterm elections
  
• Alex Jones sues PayPal after InfoWars banned for 'hate and intolerance' CNET
• Cisco removed its seventh backdoor account this year, and that's a good thing
• Data of nearly 700,000 Amex India customers exposed via MongoDB server
• Hackers breach StatCounter to hijack Bitcoin transactions on Gate.io exchange
  
• Adobe acquires Magento in bid to become Salesforce for SMBs TechRepublic
• Canada Post leaked personal data, orders of thousands of cannabis smokers

Best Black Friday 2018 deals:

• Amazon Seven Days of Black Friday Deals: All-time lows on office devices
• Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
• Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
• Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
• Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
• Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
• Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
• Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
• eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
• Lenovo Black Friday 2018 deals: ThinkPad laptops and more
• Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
• Windows laptops Black Friday deals: Dell, HP, Lenovo
• Chromebook Black Friday 2018 deals: Dell, Google, HP
• Best tablet Black Friday deals: Apple iPad, Amazon Fire
• Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
• Black Friday 2018 smartphone deals: OnePlus 6T, LG G7