Cyber Incident Victim: Infowars
Date:
Nov 2018
Location:
United States of America
Summary
The Infowars online store experienced a Magecart credit card skimming attack where malicious JavaScript injected into the payment page harvested customers' payment information and exfiltrated it to a server in Lithuania. The script, disguised as Google Analytics code, monitored form submissions and attempted to evade detection by checking for open developer tools, then transmitted stolen data via a covert image request. Approximately 1,600 customers were affected during the compromise period, though the organization claimed existing security measures prevented full credit card number theft and attributed the attack to external adversaries. The same threat actor group simultaneously targeted nearly 100 other e-commerce platforms using identical techniques.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Infowars online store experienced a Magecart credit card skimming attack between November 11, 2018, at 21:55 UTC and November 12, 2018, at 21:37 UTC, with the malicious script removed the following evening. Security researcher Willem de Groot identified the compromise, which involved JavaScript designed to harvest payment information from customers during checkout. The script masqueraded as part of Google Analytics using obfuscated code beginning with 'var KKbVWE' and employed evasion techniques, including a function that checked every 1.5 seconds whether browser developer tools were open—pausing data collection if detected to avoid discovery. When active, the script collected form entries containing payment details and transmitted them via a dynamically injected 1x1 pixel image to a command-and-control server hosted at the domain google-analyitics[.]org, based in Lithuania. The stolen data was appended to the image URL as a base64-encoded string, enabling exfiltration without direct server interaction. Magecart attacks typically target eCommerce payment pages by monitoring form submissions, and this variant was part of a broader campaign affecting nearly 100 other online stores at the time.
Infowars stated approximately 1,600 customers were impacted during the 24-hour window of compromise. The organization attributed the attack to external adversaries, specifically naming "big tech, the communist Chinese, and the Democratic party" as responsible parties attempting to disrupt their operations. Infowars claimed their contracted security providers blocked attackers from accessing full credit card numbers, though no technical evidence supporting this assertion was disclosed. The incident highlighted the prevalence of Magecart reinfections, with de Groot noting a 20% recurrence rate among compromised eCommerce sites within 11 days. No customer remediation efforts or forensic findings were detailed in Infowars' public statements. The attacker group remained unidentified but was described as highly active due to the widespread deployment of identical skimming code across multiple victims. BleepingComputer contacted Infowars for additional comment but received no response prior to publication.