Hacked Republican website skimmed donor credit cards for 6 months

A website used to fund the campaigns of Republican senators was infected with malware that for more than six months collected donors' personal information, including full names, addresses, and credit card data, a researcher said.

The storefront for the National Republican Senatorial Committee was one of about 5,900 e-commerce platforms recently found to be compromised by malicious skimming software, according to researcher and developer Willem de Groot. He said the NSRC site was infected from March 16 to October 5 by malware that sent donors' credit card data to attacker-controlled domains. One of the addresses—jquery-code[dot]su—is hosted by dataflow[dot]su, a service that provides so-called bulletproof hosting to money launderers, sellers of synthetic drugs and stolen credit card data, and other providers of illicit wares or services.

De Groot said it's not clear how many credit cards were compromised over the six months the site was infected. Based on data from TrafficEstimates, the NRSC site received about 350,000 visits per month. Assuming 1 percent of those visits involved the visitor using a credit card, that would translate to 3,500 transactions per month, or about 21,000 transactions over the time the site was compromised. Assuming a black market value of $4 to $21 per compromised card, the crooks behind the hack may have generated revenue of $600,000.

"This clever form of card skimming has been going for a while, at least since March," de Groot wrote in an October 4 post revealing the NSRC compromise. "The culprits are hiding behind a shell company in Belize. Their business is growing rapidly."

The NSRC site was disinfected on October 6, two days after the post. Word of the NSRC site compromise didn't receive much attention until it was reported Monday by CSO Online.

In a report published last week, de Groot said he uncovered 5,900 online platforms that were similarly compromised. He identified three distinct malware families and nine variants responsible, a finding that suggested that multiple people or groups are involved. In some cases, e-commerce platforms were running outdated versions with known security vulnerabilities that allowed attackers to gain control. Other times, attackers appeared to exploit weak passwords used to protect administrator accounts. Below is a video demonstrating how the hack worked:

Word of the NRSC compromise comes a few months after the disclosure of hacks affecting the Democratic National Committee and the Democratic Congressional Campaign Committee. Those attacks have resulted in the publication on WikiLeaks and elsewhere of tens of thousands of private e-mails belonging to senior democratic officials. According to both FBI officials and some independent researchers, the hacks targeting Democrats were carried out by attackers sponsored by the Russian government in an attempt to disrupt or influence the US presidential election. By contrast, the compromise of the NRSC appears to be carried out by financially motivated criminals.