Credit Cards

A Magecart credit card skimming attack has been discovered on the online store for the Infowars web site. Visitors who purchased anything on the store while the malicious code was present, would have had their payment information sent to the attacker's server in Lithuania.

Magecart is the name of a category of attacks that utilize JavaScript to monitor eCommerce payment pages for submitted payment information. On regular intervals, form submission, or some other action, these monitored payment details are then sent to a remote server under the attacker's control where it can then be collected.

The Magecart compromise on Infowars.com was first discovered by security researcher Willem de Groot, who specializes on these types of attacks. De Groot has told BleepingComputer that the malicious script was added between 2018/11/11 21:55 and 2018/11/12 21:37 and was removed last night. 

Magecart script pretends to be Google Analytics

When installed, the Magecart script on Infowars' online store at http://infowarsstore.com attempted to masquerade as part of a Google Analytics script shown below.  The Magecart portion is the obfuscated script starting with "var KKbVWE".

Obfuscated MageCart script
Obfuscated Magecart script

In a deobfuscated version De Groot shared with BleepingComputer you can clearly see how the script attempts to steal form entries and upload them to a remote server.

First the script, declares a setInterval method that checks every 1.5 seconds if  the browser developer tools are open. If dev tools are open, it tries to put the script to sleep, otherwise it will call the collectForm function to harvest payment information.

Collect the form details every 1.5 seconds
Collect the form details every 1.5 seconds

De Groot told BleepingComputer that the attacker's implementation to detect dev tools was done poorly.

"It tries to detect developer tools and go into sleep mode, but it's a crappy implementation that does not work in most cases."

When the collectForm function is called it will collect the payment information entered into the form by the visitor. This information is then passed to the sendForm function.

Harvesting payment information
Harvesting payment information

The sendForm function will now dynamically create a 1x1 image and inject it into the page. The source of this image is an url for the attacker's server at google-analyitics[.]org, which also has the base64 encoded form information appended as a variable to the image source.

Sending the payment information to a remote site
Sending the payment information to a remote site

When the image is injected into the page, the browser will try to load the image and pass along the form's content to the attacker's server. 

The group behind this attack appears to be one of the most active as this same code is currently being used on almost 100 other stores.

"The same code is currently injected in about a 100 other stores, mostly medium-sized," De Groot told BleepingComputer. "It is one of the more active card skimming groups of recent months."

De Groot warns that 20% of online eCommerce stores get reinfected within 11 days and that users should be careful when submitting payment information on previously compromised sites.

Infowars blames Magecart attack on Chinese and Democrats

According to a statement sent to ZDNet by Infowars, only 1,600 customers were affected.

The statement goes on to further state that they feel the attack was caused by "by big tech, the communist Chinese, and the Democratic party" trying to shutdown Infowars. 

This criminal hack is an act of industrial and political sabotage. The corporate press is claiming that a Magento plugin to the shopping cart was the point of entry, but that is not true. Infowarsstore.com has never installed that plugin. We use some of the top internet security companies in the nation and they have reported to us that this is a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies.

Magento's top security people have done a site-wide scan and found no security vulnerabilities. And we believe security features we will not mention, appear to have blocked them from getting anyone's credit card numbers.

The hack took place less than 24 hours ago; it is undoubtedly the hacker or hacker group that then reported this to the establishment corporate press in an attempt to scare business away from Infowarstore.com.

Only 1600 customers may have been affected. Most of those were re-orders so their information would not be accessible. Nevertheless, our customer-supporter base is being contacted so they can watch for any unusual charges to their account and rectify them.

Bottom line: this latest action is a concerted effort to de-platform Infowars by big tech, the communist Chinese, and the Democratic party who have been publicly working and lobbying to wipe Infowars from the face of the earth.

In summation, America is under attack by globalist forces and anyone standing up for our republic will be attacked mercilessly by the corporate press, Antifa and rogue intelligence operatives. Infowars will never surrender!

BleepingComputer has contacted Infowars for comment, but had not heard back at the time of this publication.

Related Articles:

MageCart Group Sabotages Rival to Ruin Data and Reputation

VisionDirect Data Breach Caused by MageCart Attack

Get 91% off The ReactJS Programming Bootcamp Deal

Get 98% off The Complete JavaScript & jQuery Programming Bundle Deal

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More