Customers of the Infowars store are getting scammed every day but this time it’s different. A security researcher discovered a form of malware embedded in the conspiracy site’s checkout process that records credit card details and transmits them to a remote server.
ZDNet interviewed Dutch security researcher Willem de Groot about his discovery of a strain of malware known as Magecart on the Infowars store. De Groot uses a custom-built malware scanner to monitor various websites for infections and he told ZDNet that he’s kept tabs on Infowars for three and a half years with no signs of foul play.
But on Monday, he noticed some malicious code had been added to a block of JavaScript connected to Google Analytics. He said it appeared within 24 hours prior to its discovery. In a statement sent to ZDNet, Infowars founder Alex Jones said that “only 1,600 customers may have been affected,” and the company’s customer support team “is being contacted so they can watch for any unusual charges to their account and rectify them.”
Magecart has been used in various forms to gobble up credit card information across the e-commerce industry, with high-profile hacks hitting hundreds of thousands of victims at companies like NewEgg and British Airways.
Yesterday, RisqIQ and Flashpoint released an in-depth report linking the malware to at least seven different cyber-criminal operations. De Groot told ZDNet that the Infowars code was different than what was covered in the Flashpoint report. “While the shoddy implementation suggests an amateurish actor, the profile of its targets are above average,” he said. “Several of its victims are running Magento Enterprise, which is usually very well secured.”
While the piece of code was embedded on every page of the Infowars store, it reportedly only functioned when a user decided to check out. Every 1.5 seconds it would scrape the contents of the payment fields and transmit them to a server in Lithuania located at “google-analyitics.org.
Infowars did not immediately respond to our request for comment but Jones sent ZDNet a lengthy rant that boils down to something like, I haven’t been pwned! It reads in part:
The corporate press is claiming that a Magento plugin to the shopping cart was the point of entry, but that is not true. Infowarsstore.com has never installed that plugin. We use some of the top internet security companies in the nation and they have reported to us that this is a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies […]
The hack took place less than 24 hours ago; it is undoubtedly the hacker or hacker group that then reported this to the establishment corporate press in an attempt to scare business away from Infowarstore.com.
Jones went on to accuse “big tech, the communist Chinese, and the Democratic party” of being behind a sweeping effort to de-platform Infowars. We’ve reached out to Magento to confirm Jones’s claims that the point of entry did not involve one of the e-commerce company’s plugins and that he’s working closely with its “top security people”.
It’s also a little shocking to hear that Infowars has 1,600 customers in a single day. As Buzzfeed has outlined in detail, the site traffics almost exclusively in supplements with little-to-no provable health benefits that can be found elsewhere for a fraction of the price.
One lab test of a supplement called Anthroplex concluded that it’s simply a zinc supplement that contains very little zinc. The lab claimed a more effective dose could be purchased for $7 while Anthroplex retails for $42.
Jones claims that many of the customers who made purchases in the time that the malware was active were re-orders, so their information may have not been stolen. Congratulations to them, I guess?
[ZDNet]