Hacked To Inject Payment Card Stealing Script

By   ISBuzz Team
Writer , Information Security Buzz | Aug 21, 2019 06:44 am PST

A curious case of web-based card skimming activity revealed that the Poker Tracker website had been compromised and loaded a Magecart script – code that steals payment information from customers.

Online poker enthusiasts use the Poker Tracker software suite to improve their winning chances by making decisions based on statistics compiled from the opponents’ gameplay, Bleeping Computer reported.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Usman Rahim
Usman Rahim , Digital Security and Operations Manager
August 22, 2019 5:34 pm

The hacking of a popular site and software reveals the growing popularity of combining two attack methods: (1) compromising websites that use outdated versions of their content management platforms and (2) injecting credit card skimmers on to the page. Bad actors know too well the vulnerabilities of web content platforms. And, even when those platforms release new versions to address vulnerabilities, website operators often neglect making the needed updates. While the site has made improvements to the Content Security Policy (CSP), this move has its limits. Developers use CSPs to enforce a white list of resources that a client browser can load resources from and sites that can interact with their site. However, such a list does not take into account the unknown third-party scripts these resources and sites bring in and allow to run on the site. Operators should therefore monitor the site for all scripts that run, in order to ensure that only those that they have authorized are able to execute. Doing so will note only address security, but also privacy issues at a time when data privacy laws are being enacted across the country and around the world.

Last edited 4 years ago by Usman Rahim
Elad Shapira
Elad Shapira , Head of Research
August 21, 2019 8:46 pm

The PokerTracker hack illustrates a common cybersecurity issue: the failure of many companies to update their Content Management Systems (CMS). In fact, Panorays research found that nearly one-third of US management consultancy firms were running older versions of CMS like WordPress and Drupal.

If such is the case at critical suppliers, then it comes as no surprise that websites like Poker Tracker are vulnerable as well.

This incident serves as a reminder that companies should not also check the security of their own websites and technologies, but also take the opportunity to check that their vendors’ systems are up to date.

Last edited 4 years ago by Elad Shapira
David Kennefick
David Kennefick , Product Architect
August 21, 2019 2:50 pm

This particular vulnerabilities stems back to the implementation of an outdated CMS. As with many of these technologies there is a support structure of frameworks that need to be taken into account when they are deployed and supported. In this instance the exploit appears to have been planted via an outdated version of Drupal.

The core lessons that should be taken from this hack:

Advise for technology creators:

When creating technology, always be sure there is a strong patching policy for any framework that is being used. The Drupal instance on their website seems to be the main attack point here, the exploit will work in any browser on the same system as opposed to just the pokertracker in-built browser.
Always be wary of installing software from sources that are not entirely trusted. Just because you have to pay for software doesn’t mean there is a development team ready and waiting to support and patch the technology. According to Malwarebytes, “they rapidly identified the issue and removed the offending Drupal module”, this is a good response from Poker Tracker. An independent third party review of their technology and a more proactive patching policy may have stopped this exploit before it became an issue.
Advise for users:

Always be wary of software running on your device, especially if it is a device you use for processing transaction and gaming.
Have a proactive blocking system installed and its signatures updated. This is a good advertisement for Malwarebytes as their blocking worked as intended on a previously flagged domain. Windows Defender has also come on leaps and bounds since its initial release and could be considered also.
With the likes of virtual/disposable payment cards being more accessible, payments methods should be rotated and recycled if possible. Revolut and Monzo support this feature. Taking this proactive step earlier in the payments process adds a safety net for users in case card data is compromised.

Last edited 4 years ago by David Kennefick

Recent Posts

Would love your thoughts, please comment.x