Magecart credit card skimmers found on PokerTracker software

• Magecart skimmer script was injected into PokerTracker’s subdomain and root domain as both were running an outdated version of Drupal (6.3x).
• Malwarebytes reported the incident to PokerTracker and they immediately identified the issue and removed the outdated Drupal module.

The Magecart card skimmer scripts are typically found in attacks against e-commerce sites. However, in a recent case, Malwarebytes researchers uncovered Magecart skimmers on the PokerTracker website.

The detailed picture

Researchers learned from a customer that Malwarebytes anti-malware blocks the connection to the domain ajaxclick[.]com when PokerTracker 4 (PokerTracker4.exe) was launched.

• Upon which, researchers tested the issue by launching the program, and observed the same web connection block.
• The researchers then inspected the network traffic with the IP address 172.93.103[.]94, in order to understand the communication between PokerTracker 4 and ajaxclick[.]com.
• They then uncovered that the HTTP GET request retrieved a malicious JavaScript file (click.js) from ajaxclick[.]com domain.
• Upon decoding the malicious script, researchers determined that the Magecart skimmer was customized for the PokerTracker website.
• Researchers also observed that the skimmer domain includes different skimmers that have each been customized for individual victim websites.

Worth noting

Magecart skimmer script has been injected into PokerTracker’s subdomain and root domain as both are running an outdated version of Drupal (6.3x). Therefore, every time users launch PokerTracker 4, it would load the compromised web page within the application. This resulted in Malwarebytes blocking the web connection.

In an unexpected departure from the norm, the Magecart script found on the online poker site instead of an e-commerce site suggests attackers diversifying their targets.

“What this incident tells us is that users might encounter web skimmers in unexpected locations—and not just in online shopping checkout pages. At the end of the day, anything that will load unvalidated JavaScript code is susceptible to being caught in the crosshairs,” researchers said.

The response from PokerTracker

• Malwarebytes reported the incident to PokerTracker and they immediately identified the issue and removed the outdated Drupal module.
• PokerTracker also said they’ve tightened their Content Security Policy (CSP) to help mitigate future attacks via malicious skimmer scripts.