Threat Watch

Magecart Skimmers Found on Online Poker Website

Magecart: The root domain and subdomain of PokerTracker has been found to contain a skimmer that steals the card numbers of their clients.  The infection was the result of an out-of-date Drupal Module (6.3x), which PokerTracker has since removed. Magecart typically deploys these types of skimmers on e-commerce websites, but they have changed their tactics. The domain, ajaxclick[.]com, was compromised and through an HTTP GET request, it would retrieve a malicious JavaScript file called click[.]js. The skimmer was custom-designed for the PokerTracker domains and was not reused from a previous attack. Ajaxclick[.]com included many different skimmers, all custom made for each target site. By doing this, it prevents researchers from being able to break apart just one skimmer and forces each skimmer to be broken down individually.  

ANALYST NOTES