Skip to main content

Magecart hackers target popular poker software

(Image credit: Shutterstock.com)

Magecart credit card skimmers typically target users through their web browser when shopping online but new research from Malwarebytes has discovered that cybercriminals were able to compromise poker software to do so as well.

Poker Tracker is a software suite used by online poker enthusiasts to improve their chances of winning by making decision using statistics compiled from the gameplay of their opponents. Malwarebytes first began its investigation into Poker Tracker when its anti-malware blocked the software from connecting to a domain known to host credit card skimmers.

The firm's security researchers installed and ran the software at which time they discovered it was connecting to ajsaxclick[.]com and retrieving a malicious JavaScript file. At first Malwarebytes believed that the application had been compromised but this would be quite unusual as credit card skimmers have only been observed on websites.

Upon closer inspection though, the researchers found that the software can load and display web pages from PokerTracker's subdomain 'pt4.pokertracker.com'. The cybercriminals hacked both Poker Tracker's software and its website and injected them with malicious code that the software loaded every time it launched. This led any payment made through the software or its website to copy the attacker with the payment details.

CMS issue

The cybercriminals that compromised PokerTracker's website were able to do so because the site was running an outdated version of Drupal CMS. The site was running Drupal 6.3.x while the latest release is 8.6.17 and in that time, many known vulnerabilities have been patched.

However, Malwarebytes security researcher Jérôme Segura noted that it was unusual to see credit card skimmers targeting Drupal since they typically are found on ecommerce platforms with Magento being the most popular target. 

The cybersecurity firm informed PokerTracker regarding the issue and it has since been fixed but Segura explained in a blog post that we should expect to find credit card skimmers in unexpected locations going forward, saying:

“What this incident tells us is that users might encounter web skimmers in unexpected locations—and not just in online shopping checkout pages. At the end of the day, anything that will load unvalidated JavaScript code is susceptible to being caught in the crosshairs. As a result, the Magecart robbers have a nice, wide playing field in front of them.”

Via Bleeping Computer