PokerTracker Domain Discovered Infected with Credit-Card Skimming Code

Updated: August 23rd, 2019 by Haley Hintze

Recent purchasers of popular online poker tracking software PokerTracker 4 have reason to be concerned after prominent anti-hacking research firm MalwareBytes published a report on Tuesday confirming that two domains associated with the program had been infected with card-credit skimming code linked to a giant criminal hacking group.

The report by MalwareBytes came 12 days after a report from a PokerTracker customer, named “Smoking Joker” on the MalwareBytes forum, that opening the PT4 package was triggering a “fraud block” via the domain, which was in turn sending traffic to another domain, ajaxclick(.)com. This other domain has been known for some time to house numerous credit-card skimming modules and has been associated with the “Magecart” online-crime group, which has targeted thousands of online sites of all types over the past several years.

The investigation found that the hackers successfully infected both the primary domain and a prominent subdomain, The “pt4” subdomain was also called up actively whenever the user’s software package was open. The infection was found to be a hard-coded injection of code that translated users’ credit-card info to the Magecart site.

According to MalwareBytes, “Every time users were launching PokerTracker 4, it would load the compromised web page within the application, which would trigger a block notification from Malwarebytes as the skimming script attempted to load. However, it’s worth noting that users going directly to the poker website were also exposed to the skimmer. When MalwareBytes ran their own tests, they received a popup alert such as this:

Source: MalwareBytes

“We reported this incident to the owners of PokerTracker and they rapidly identified the issue and removed the offending Drupal module. They also told us that they tightened their Content Security Policy (CSP) to help mitigate future attacks via harmful external scripts.”

The “offending Drupal module”, as explained in a separate feature at TechRadar, was due to the exploitation of what MalwareBytes politely referred to as an “outdated” Drupal module. The TechRadar expansion makes it clear that “antiquated” might have been a better adjective: The Drupal (an open-source content manager) edition being run on the PokerTracker domains was version 6.3.x. Drupal’s Version 6 was available from 2008 until 2011, when Version 7 was released. Today, the open-source code’s current version is 8.6.17. According to TechRadar, “[I]n that time, many known vulnerabilities have been patched.”

Though it’s great that the malicious code was discovered and removed, there was no indication in the first 72 hours following publication of the MalwareBytes piece that PokerTracker or its parent company, Max Value Software, had issued a statement regarding the hacking incident. While it may take some time to determine exactly when the malicious code was injected, it seems a customer-service fail for MVS to not have a statement and possible contingency plans available to reassure possibly affected customers. The likeliest possibility is that the hacking occurred at some point early this month and was in place for two weeks or less, but only official verification will make that information public.

More serious is the utter lack of common sense shown by someone in MVS in having Drupal modules as much as a decade old in place, given that hacking is so commonplace in this day and that previous Drupal vulnerabilities had long since been identified. Finding the antiquated software in place on an e-commerce site represents a rather basic fail.

Max Value Software will likely be forced to evaluate its credit-card processing code for all of its products, which include Poker Ninja, Hold’em Manager, and several other popular titles. Collectively, MVS is believed to be the world’s largest publisher of so called “third party” online-poker software programs, a category which also remains a controversial element of modern online poker.

Comments are closed.