Hackers hit Republicans and stole credit card information of donors, sending them to Russian servers
The stolen data was found sent to a network of servers located in Belize and run by a Russian-language internet service provider iStock

Suspected Russian hackers are believed to have been skimming credit card information of Republican donors for the past six months. The web store of the National Republican Senatorial Committee (NRSC) is believed to be one of over 5,900 e-commerce sites allegedly hacked by the same threat actors.

According to Dutch security researcher Willem De Groot, anyone who purchased products from and/or donated to the NRSC via its website likely had their credit card information stolen and possibly sold on the dark web. De Groot also said that the stolen data was found sent to a network of servers located in Belize and run by a Russian-language internet service provider.

There is no comment yet from the Republicans on the matter. However, De Groot said the party "rushed to secure their store" on 6 October.

De Groot added, "I do not know how many credit cards were stolen from the Republican store but I can make an educated guess. According to TrafficEstimates, the Republican store has received some 350K visits per month lately. A conservative conversion ratio of 1% yields 3500 stolen credit cards per month, or 21K stolen credits cards since March. Black market value per card is between $4 and $120, so I assume a modest $30 per card. The villains could have made roughly $600K on this store alone."

De Groot also said that his analysis of the malware within the NRSC site revealed that the hackers used security vulnerabilities or weak passwords to hack into the numerous e-commerce sites. He also noted that the hackers appeared to have inserted the malware within the e-commerce sites' database, which in turn could have helped them operate under the radar. The Dutch researcher noted that the hackers have been at it since March and are "hiding behind a shelf company in Belize."

Other sites affected by the malware included sites belonging to Converse, Audi, OXO and more. De Groot said that while some sites had already fixed the issue, the hackers continued to infect new sites with their malware. "Last Monday my scans found about 5,900 hacked sites," he said. "When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised."

Security journalist Brian Krebs, who also reported on De Groot's findings said, "Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.

"These attacks drive home one immutable point about malware's role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it's 'game over' for the security of that Web session."