Cyber Incident Victim: PokerTracker.com
Date:
Aug 2019
Location:
United States of America
Summary
A poker analytics platform was compromised via an outdated Drupal version, enabling attackers to inject a customized Magecart skimmer script into both its website and software client. The malicious code intercepted payment card details during transactions by matching input fields and exfiltrating encrypted data using weak credentials. Researchers identified the skimmer as part of a broader campaign targeting multiple victims with tailored scripts, though Drupal compromises were atypical for such attacks. The operators promptly remediated the breach by removing the malicious payload and strengthening their Content Security Policy to prevent unauthorized resource loading. Payment data entered through either the web interface or application was systematically harvested before mitigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early August 2019, security researchers observed anomalous activity involving PokerTracker.com, a platform providing statistical analysis software for online poker players. On August 8, Malwarebytes anti-malware software detected and blocked connections from the PokerTracker application to ajaxclick[.]com, a domain associated with credit card skimming operations. Subsequent investigation revealed that both the PokerTracker website and a subdomain (pt4.pokertracker.com) used by the desktop software to display web content had been compromised. Attackers injected malicious JavaScript code into these systems, causing the PokerTracker application to load the skimming script automatically upon launch. This script targeted customers entering payment information during checkout processes on the website or within the application interface. The infection vector stemmed from PokerTracker.com running Drupal 6.3.x, an outdated content management system version with known security vulnerabilities that had not received official security support since February 2016.
Analysis of the skimming script (named click.js) revealed tailored functionality designed specifically for PokerTracker’s payment forms. The malware harvested payment card details by monitoring input fields, then serialized and encrypted the stolen data using the weak password 'love1234' before exfiltrating it to attacker-controlled servers. Security researchers noted the script contained hardcoded references to PokerTracker.com and mirrored variable names matching the website’s checkout fields, indicating deliberate customization for this target. Examination of the attackers’ infrastructure revealed multiple similarly customized skimmers for different victims. PokerTracker’s operators responded promptly upon notification, removing the malicious code and implementing enhanced Content Security Policy (CSP) measures to restrict unauthorized script execution. The compromise exposed customer payment data processed through both the website and software client during the infection period, though the exact duration of unauthorized access and number of affected users were not disclosed in available reports.