An unusual case of site hacking may have affected some recent purchasers and users of PokerTracker 4, the industry-leading online-poker statistics program published by Max Value Software, also the publisher of Hold’em Manager, Table Ninja, and several other popular software offerings.
According to leading anti-virus researcher MalwareBytes, unknown members of a notorious credit-card skimming operation known as Magecart — identifiable through its various methods of operation — were able to inject malicious code into both the main pokertracker.com and sub pt4.pokertracker.com domains. The credit-card thieves exploited a vulnerability exiting in the long outdated version of the open-source Drupal content-management software being used by PokerTracker.
When the hacking occurred has yet to be revealed, though it was likely sometime during the first days of August. On August 8, a MalwareBytes forum poster named Smoking Joker posted a virus-warning popup he received when starting up his PT4 software:
Though MalwareBytes didn’t act immediately on the tip — the researchers receive an overwhelming number of tips and tidbits — when they did get around to checking it out, the evidence of another Magecart hacking operation quickly appeared. The domain and IP address shown in the popup were already well known to MalwareBytes and other anti-fraud entities for their connection to the Magecart criminal ring.
On August 20, nearly two weeks after the Smoking Joker post, MalwareBytes published its findings confirming the pokertracker.com and pt4.pokertracker.com domains had been hacked.
MalwareBytes also determined that it was a targeted attack, both in going after an e-commerce site and seeking to exploit a known software vulnerability: “The skimmer was customized for the pokertracker.com site, as not only do the variable names match its input form fields, but the data portion of the skimmer script has the site’s name hardcoded as well.”
The Drupal code version being used by Max Value Software was significantly outdated. Drupal 6 was released in 2008 and various patches were released until the next generation, Drupal 7, was published in 2007. The current version of Drupal is 8.6.17, and it encompasses years of security patches.
The credit-card skimming code was activated every time PT4 users opened their software. While the pokertracker.com domain offers the program’s front-end Internet presence, the related pt4.pokertracker.com subdomain hosts such things as the software’s discussion forums, and link calls to it are made every time the PT4 software runs.
MalwareBytes offered this by way of explaining that the vulnerability has since been closed:
Every time users were launching PokerTracker 4, it would load the compromised web page within the application, which would trigger a block notification from Malwarebytes as the skimming script attempted to load. However, it’s worth noting that users going directly to the poker website were also exposed to the skimmer.
We reported this incident to the owners of PokerTracker and they rapidly identified the issue and removed the offending Drupal module. They also told us that they tightened their Content Security Policy (CSP) to help mitigate future attacks via harmful external scripts.
That the issue was rapidly identified and fixed is all well and good, but it leaves several other questions unanswered. For instance, why was Max Value Software running its e-commerce site for PT4 through an open-source software edition roughly a decade old?
Further, roughly three days have elapsed since MalwareBytes published its findings. Though PokerTracker support has continued to interact with users on various discussion forums, there has been no announcement anywhere to date regarding the hacking and probable credit-card exposure. Nor is there any evidence that MVS has directly contacted users whose payment details may have been compromised.
While it’s likely the company is still researching the hacking, there are several issues needing immediate clarification. For instance, when exactly were the two domains hacked, and when was the security hole finally closed? Was PokerTracker 4 and its support sites the only one the MVS software offerings to be affected? It seems incongruous to suggest that the company’s most popular software would have been run on a domain with content-management software that outdated, and not have similar antiquated platforms also in place for other offerings.
It’s not the first time third-party software has been part of a hacking situation. Way back in 2006, a site called checkraised.com offered a free program called RBCalc (a rakebake calculator) to its users, only to discover that the independent programmer it had hired to create the program had inserted malware allowing login information for a large number of poker sites to be stolen. RBCalc was immediately yanked, but the damage was already done. Checkraised.com soon closed up shop in the face of all the adverse publicity.
It’s highly unlikely Max Value Software will suffer a similar fate, but at the moment, the company is wearing a hefty facial egg wrap. In recent months MVS has been on the warpath against partypoker for that site’s decision to take steps making third-party software programs such as MVS’s less effective. MVS execs have claimed that their programs make all of online poker a safer environment. Problem is, safety comes in more than one form.