Magecart payment card skimmers have now infiltrated two poker websites according to the latest research released from Malwarebytes. The two affected websites were identified as pokertracker.com and its subdomain pt4pokertracker.com, both of which are related to PokerTracker, a poker software suite used by online poker players.
The PokerTracker app makes decisions based on compiled gameplay statistics, helping users to improve their chances of winning. While the app itself isn’t affected by malware, its user interface shows that web pages have been affected. As a result, poker players and enthusiasts who are either using the app or simply visiting the poker websites are directly exposed to risk.
Magecart Invasion
The first signs of Magecart invasion were detected when PokerTracker’s anti-malware software blocked it from connecting to a domain known to host cybercriminals. Malwarebytes then launched an investigation by running its software which unusually retrieved a malicious JavaScript file. Researchers were initially confused as credit card skimmers were known to target web browsers used by online shoppers. The focus on poker websites was a different method of operation.
It was later discovered that cybercriminals had hacked the PokerTracker software and the website as well, successfully injecting them with a malicious program which enabled them to copy a poker player’s payment details when transactions were carried out on the site.
PokerTracker Used Outdated CMS
The investigation also found that PokerTracker was using an outdated version of the Drupal content management network susceptible to JavaScript injection which allowed credit card skimmers to perform the attack. The cybercriminals attempted to transfer important data to the malicious domain ajaxclick.com, a website known to host several skimmers targeting different sites.
It has emerged that PokerTracker was running Drupal 6.3x when the latest release is now 8.6.17. PokerTracker owners have now dealt with the vulnerable Drupal module and introduced a tighter Content Security Policy (CSP) to prevent such incidents from reoccurring. While this is a positive measure, poker room owners shouldn’t be complacent as CSPs are unable to identify and track unknown third-party scripts brought in by sites and resources.
Magecart Skimmers Hunting for New Victims
The latest discovery shows that skimmers and cybercriminals have now upped their ante and are invading sites run by Drupal, an unusual target considering that these criminals typically attack traditional Magento-supported e-commerce checkout pages. Jerome Segura, Malwarebytes’ director of threat intelligence said the result of their investigation is somewhat surprising but it should now serve as warning that users of websites that load unvalidated JavaScript code are in serious danger. Segura said web skimmers are now everywhere, even in the most unexpected locations, not just in online shopping checkout pages.
It is highly advised that poker operators carry out a close monitoring of all the scripts that run on the site and make sure that only the authorized programs are able to execute. This way, the users’ security and privacy are better-protected.
Cybercriminals are continuously on the lookout for their next potential victims, and if there’s anything to be learned from PokerTracker’s situation, it is that poker operators should be responsible enough to update their content management systems (CMS). Failure to do so would result in many more poker websites becoming vulnerable to skimming.
Magecart Skimmers
Magecart remains a major headache for website operators as the group has now compromised ad script tags to drive traffic to their skimmers. Based on figures from a recent RiskIQ analysis, 17.3 percent of malvertisments resulted in a Magecart hacking attempt. RiskIQ’s six-month sample of threat detection data shows a significant spike (186%) in drive-by malvertising cases, as well as an increase in instances of malware, though there has been a drop in scam and phishing figures, mainly due to new blocking methods employed by websites for an enhanced user experience.
Magecart steals customer payment card data through its malicious hacker groups employed to target online shopping cart systems. The attack works by compromising a website’s third-party software or infect its industrial process beyond IT detection. Data privacy is an important subject in the modern world especially as countries around the world are introducing their own data privacy laws.
Poker site owners should now be more vigilant and perform a regular check on their CMS to avoid similar incidents in the future.