PokerTracker Exec Confirms Credit-Card Hack Occurred at Start of 2019
An initial public statement has been made on behalf of PokerTracker online-poker tracking software following the discovery by anti-hacking company MalwareBytes that two domains associated with PokerTracker had been injected with credit card-scraping code. The statement, in the form of a post on the 2+2 discussion forum by Max Value Software, LLC (MVS) managing partner Derek Charles, confirms the discovery of the hack on August 8 while adding details about the hacking incident.
According to Charles, the antiquated Drupal open-source content-management script that was exploited by the Magecart attack was removed within an hour of MVS being notified on August 8 of the probable hack. Of course, by that time the damage had been done. Further, a programming audit showed that the hack likely occurred between December 23, 2018 and January 2, 2019, meaning that up to eight months of credit-card purchases of PokerTracker 4 were compromised.
Charles offered a bullet-point synopsis of what his company has uncovered regarding the hack:
- This was a highly customized and targeted attack of PokerTracker.com and it’s customers. The script was being loaded from ajaxclick.[com] which has not previously been seen in the wild.
- It appears that the attack took place between December 23, 2018 and January 2, 2019.
- We believe that the attackers were attempting to intercept credit card information while it was being sent from the user’s browser to the credit card processor. We do not have any information to confirm or deny whether the hackers were able to successfully intercept credit card and/or billing data.
- PokerTracker does not save or store any credit card or billing information on our servers. Only those customers who attempted to purchase via credit card while the rogue script was on the site are affected. We estimate that the number of affected customers is in the low thousands and we are in the process of notifying them.
- The PokerTracker 4 application and your data within PokerTracker 4 has never been compromised. PokerTracker 4 does load an internal browser for the community page which would have loaded the rogue script but it is not technically possible for the script to gain access to view your data within the PokerTracker application.
- We have no reason to believe that your PokerTracker.com username or password were intercepted; however, to be abundantly cautious we recommend changing your password.
The first point needs some clarification. The ajaxclick.(com) site actually hosts numerous credit-card skimmers associated with the Magecart criminal operation. However, most of the other skimmers attack flaws in another and more-popular e-commerce CMS platform, Magento. Drupal vulnerabilities have also been known for years, so “not previously been seen in the wild” is an exact-combination qualification true only in a technical sense.
The length of time the hack was in place will also be of concern to PT4 customers. Charles also posted this: “If you entered your credit card information on the PokerTracker.com website between the dates of December 23, 2018 and August 8, 2019 we will be contacting you to urge you to closely monitor your credit card activity for any fraudulent purchases. If you notice a fraudulent charge, please immediately contact the telephone number on the back of your credit card to notify them of the fraudulent activity.”
However, nearly half of the period for which credit-card info was presumably stolen already falls outside the 120-day window that most major credit-card providers allow for fraud-related chargebacks. Max Value Software has also allowed nearly three more weeks to elapse without issuing formal warnings to affected customers. That translates directly into more transactions that may well have slipped beyond the 120-day recovery window.