This article originally appeared in SC Magazine on August 22, 2019.
Cybercriminals are upping the ante when it comes to compromising websites with Magecart payment card skimmers, as evidence by the recent discovery of two infected web domains used by poker enthusiasts.
A Malwarebytes blog post this week identified the two affected web pages as pokertracker.com and its subdomain pt4pokertracker.com. Both are related to a software application for poker players called PokerTracker 4. The app itself is not trojanized; however, its user interface displays the infected web pages, explained blog author Jerome Segura, Malwarebytes’ director of threat intelligence. Therefore players either using the app or visiting the poker websites directly were exposed.
Both sites were observed a using version of the Drupal content management network that was outdated (version 6.3x), and thus vulnerable to JavaScript injection. This allowed cybercriminals to inject the skimmer, which was specifically customized for the pokertracker.com, and attempted to exfiltrate data to the malicious domain ajaxclick[.]com. This site was found to host multiple skimmers, each customized for a different targeted website, including a second one for the pokertracker.com site.
“This is the type of activity we are accustomed to with Magecart, although the fact that the site was running Drupal instead of Magento (the most targeted platform by web skimmers) was a bit of a surprise,” remarked Segura in the blog post.
The choice of target was also unusual in that the affected sites were not traditional e-commerce checkout pages. “At the end of the day, anything that will load unvalidated JavaScript code is susceptible to being caught in the crosshairs,” Segura stated. “As a result, the Magecart robbers have a nice, wide playing field in front of them.”
According to Malwarebytes, the owners of PokerTracker fixed the vulnerable Drupal module and said that they tightened their Content Security Policy (CSP) to prevent future such incidents.
“While the site has made improvements to the [CSP], this move has its limits,” said Usman Rahim, digital security and operations nanager for The Media Trust. “Developers use CSPs to enforce a white list of resources that a client browser can load resources from and sites that can interact with their site. However, such a list does not take into account the unknown third-party scripts these resources and sites bring in and allow to run on the site. Operators should therefore monitor the site for all scripts that run, in order to ensure that only those that they have authorized are able to execute. Doing so will note only address security, but also privacy issues at a time when data privacy laws are being enacted across the country and around the world.”
“The PokerTracker hack illustrates a common cybersecurity issue: the failure of many companies to update their content management systems,” said Elad Shapira, head of researcher at Panorays. “In fact, Panorays’ research found that nearly one-third of U.S. management consultancy firms were running older versions of CMS[s] like WordPress and Drupal. If such is the case at critical suppliers, then it comes as no surprise that websites like PokerTracker are vulnerable as well.”
Magecart continues to be a burden for website operators. A recent RiskIQ analysis of six months worth of threat detection data (January through July 2019) found that 17.3 percent of malvertisements led to a Magecart infection attempt. “RiskIQ researchers recently discovered that Magecart groups… have… compromised creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once,” RiskIQ states in a company blog post.