Republicans hacked, skimmed NRSC donations sent to Russian domain

Hundreds, if not thousands of donations made to the NRSC this year were likely compromised

Election 2016 teaser - Republican vs Democrat

Republicans who gave money to the National Republican Senatorial Committee (NRSC) this year, in order to help support incumbent Republican senators, might want to check their credit card statements.

Those who donated to the NRSC between March 16 and October 5, 2016, conducted their transaction on a platform that was compromised by malicious code designed to steal credit card details and personal information. The NRSC quietly corrected the problem sometime around October 6, 2016.

The hacked storefront, which powers the NRSC donation system, was discovered by Willem de Groot – a Dutch developer who discovered thousands of compromised websites running vulnerable versions of the Magento e-commerce platform.

The compromised NRSC transactions included the donor’s first name, last name, email address, billing details (address, city, state, and zip code), employer details, occupation, card type, card number, card expiration, and security code.

Once the data was collected by the malicious code, the compromised transactions were then sent to one of two different domains.

Earlier this year, the criminals responsible for skimming the card data were using jquery-cloud[.]net to receive the compromised records. Later, the code on the NRSC website was altered to send skimmed transactions to jquery-code[.]su.

The malicious .su domain is still operational, and it’s hosted on a network (Dataflow) with some suspicious, if not outright criminal clients – including those that deal with drugs, money laundering, Phishing, and spam.

It isn’t clear who is behind the attack, as anyone can register a domain and obtain hosting. One interesting observation made by de Groot during his research, was that Dataflow and jquery-cloud[.]net came online together during the same week in November of 2015.

As for impact, it’s hard to tell how many transactions on the NRSC website were compromised. Going by traffic, de Groot said that upwards of 3,500 compromised transactions per month were possible.

Based on reporting to the Federal Election Commission, the NRSC collected more than $30 million in contributions since March 2016, when the card skimming code was first observed on their domain. But again, this total is for all funds collected, and doesn't single out credit card donations.

As mentioned, once the issue became public earlier this month, the NRSC quietly replaced the compromised storefront with a new one powered by WordPress. The criminals behind this particular compromise targeted Magento in this case, but they've also targeted OpenCart and Powerfront CMS.

Salted Hash attempted to reach out to the NRSC over the weekend, but the committee hasn’t responded to queries. As of October 17, the NRSC website makes no mention of the new storefront, or the compromised e-commerce platform. [See update below]

Unfortunately, this means GOP supporters who had their credit card information compromised could be caught by surprise once their accounts show signs of fraudulent activity, and left completely unaware of the problem's root cause.

During his research, de Groot determined that more than 5,400 storefronts were compromised by the same type of malicious code used on the NRSC domain. So far, he has discovered nine variants of the skimming code, suggesting that multiple people (or groups) are involved.

When de Groot reached out to victims, in an attempt to alert them about their compromised domains, many of the website owners failed to understand the full impact of the situation.

Some responded to the warnings by arguing to de Groot that the code added by the criminals didn’t matter because – “our payments are handled by a 3rd party payment provider” or “our shop is safe because we use HTTPS.”

Those responding like this are missing the bigger point; if the code running the payment processing system is compromised, 3rd-party processing and HTTPS will not prevent a criminal from obtaining your card data or personal information.

A full list of the storefronts compromised by the skimming code is available on GitLab. Over the weekend, GitLab removed the list in error, but they’ve since restored the list with an apology.

Update: Salted Hash came across a NRSC statement made to Reuters on October 6. In it, the NRSC said the issue impacted a small number of supporters (0.0018 percent) and they would contact them directly. They didn't share any additional details. In addition, the NRSC said they found no evidence that its primary donation system was hacked.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)