A curious case of web-based card skimming activity revealed that the Poker Tracker website had been compromised and loaded a Magecart script - code that steals payment information from customers.

Online poker enthusiasts use the Poker Tracker software suite to improve their winning chances by making decisions based on statistics compiled from the opponents' gameplay.

Magecart loading in poker app

A report on August 8 indicated that Malwarebytes anti-malware blocked Poker Tracker from connecting to a domain known to host credit card skimmers - scripts that copy payment card details on checkout pages and delivers them to the attacker.

Security researchers decided to investigate and after installing and running the software they noticed the same behavior: a connection to ajaxclick[.]com and retrieval of a malicious JavaScript file.

One early theory was that the application had been compromised. This would have been an unusual development for web skimmers since their presence has been observed only on websites.

However, a closer look at the software showed that it can load and display web pages from the PokerTracker subdomain 'pt4.pokertracker.com.'

Both sources had been hacked and injected with the malicious code causing the software to load it at every launch. Any payment made through the application or its website would copy the attacker with the payment details.

Outdated CMS

The compromise was possible because PokerTracker.com was running Drupal 6.3.x, an outdated version that has security vulnerabilities. The latest release for the platform is 8.6.17, available since June 17.

Jérôme Segura says that seeing this type of scripts targeting Drupal was surprising since the focus is typically on e-commerce platforms, Magento in particular.

After decoding the script (click.js), the data exfiltration process became clear. The data is verified before being serialized and encrypted with an easy to crack password: 'love1234.' The final stage is sending the data to the attacker's site.

The researcher notes that the skimmer was customized for this particular target, with variable names matching the input fields on the website, and the data segment in the code had PokerTracker.com hardcoded in.

Looking at the attacker's server, Segura found multiple skimmers all of them customized for each victim.

The owners of PokerTracker have been contacted and they acted promptly to fix the problem.

Malwarebytes was told that the site has improved the Content Security Policy (CSP), a web security standard that allows controlling the resources loaded for specific web pages.