Two days ago, the ecommerce platform for Infowars was found to have a Magecart infection after a quick scan by Dutch security researcher Willem de Groot discovered the malware concealed inside a block of code from Google Analytics.
The malware, which was later categorized as generic, periodically recorded the payment details entered within the online store’s checkout form before sending them to a remote server.
In an email written after the discovery of the malware, the owner of the online store, Alex Jones, said that an estimated 1,600 customers were affected by the card skimming malware, although he suspected that the number could be lower since the majority of these customers were placing re-orders.
Nevertheless, Jones said that the company staff had been instructed to contact all of the affected customers to warn them about the malware and to instruct them to watch for any unusual changes in their accounts.
Magecart Malware Active for About a Day
The Dutch security expert, de Groot, used a proprietary malware scanner he built himself to scan the Infowars online store, which is based on the Magento ecommerce platform. The malware scanner was specially made to detect anomalies in online stores built upon this specific platform.
De Groot noted that previous cursory scans of the online store that had been conducted in the past three and a half years had come up clean. The Magecart malware had been added only 24 hours prior to the last scan.
The malicious JavaScript code was discovered hidden inside a chunk of Google Analytics code that had been tampered with. De Groot soon discovered that the piece of code embedded within the block of code from Google Analytics was a card skimmer and that it was present on all of the Infowars online store pages.
The code activated during checkout, collecting all the contents of the checkout forms in intervals of 1.5 seconds and dispatching them to a remote google-analytics.org server located in Lithuania.
New Group Suspected to Be Behind Infowars Attack
A 60-page report from security firms Flashpoint and RiskIQ presented a list of cybercrime outfits that had previously used the card skimming malware as well as the history of tactics used to deploy Magecart-like attacks. According to the report, seven different cybercrime groups have used the card skimming malware on various online stores over the past four years.
The attack on the Infowars stores did not match the M.O. of any of the seven criminal outfits listed in the report, de Groot concluded after a thorough analysis of the code, which suggested that a different group could be behind this latest attack. He added that Infowars was only one of 100 other online stores that had the same malware, and this could be attributed to the popularity of the Magecart campaign.
De Groot also noticed that the code’s implementation was inferior, and despite using stealth tactics to evade detection, the code itself was littered with errors. Although the attacker(s) used obfuscation techniques, they were very much unlike those of a more advanced cybercrime outfit known as Group 4, listed in RiskIQ’s report.
Despite the shoddy code and poor implementation, de Groot noticed that the threat actor(s) targeted online stores with decent levels of security, and that were running on the Magento Enterprise platform. This strengthened his theory that the attacker(s) was better at hacking servers than writing code in JavaScript.
De Groot later published a report showing that an alarming one in five online stores that had suffered a Magecart attack were targeted again more than once. He explained that applying the security patches was a delicate matter and that the slightest mistake could lead to another infection.
The Dutch researcher went into as much detail about how the Magecart skimmer malware infected the Infowars online store as he could without risking another attack.
Jones’ Searing Email to ZDNet
Infowars owner Alex Jones was predictably vexed following the discovery of the card skimmer on his site. In a fiery email he later sent to news site ZDNet.com, he branded the attack a political sabotage attempt and a zero-day hack that was orchestrated by the Democratic Party, elements in the U.S. intelligence agencies and communist parties from countries like China.
Jones shut down claims that the Magento shopping cart plugin was to blame for the breach by revealing that the Infowars online store had never had that plugin installed. He was confident that despite the attack, a number of security features had blocked the perpetrators from getting access to any of the stolen credit card numbers.