The Magecart group strikes again with a fresh wave of skimming attacks aimed at booking websites of chain-brand hotels. The attacks targeting two hotel websites belonging to two different hotel chains were detected by Trend Micro researchers at the beginning of September.
The sites contained a JavaScript code that loaded a remote script on their payment page. The interesting part is that if the script was accessed remotely through a standard browser on a computer, loaded JavaScript was not malicious. However, if the victim accessed the site from a mobile device like Android or iOS phone, the same link downloaded a credit card skimmer, designed to steal the information entered on the hotel booking page and send it to a remote server.
The researchers found that both of the websites were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code was not hosted on the affected sites themselves, but rather was injected into the script of Roomleader’s module called “viewedHotels”, a library which is used for saving the viewed hotel information in the visitor’s browser cookies.
Although the campaign impacted only small number of hotel booking websites, the attack still can be considered significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries, Trend Micro said without revealing the names of the hotel chains affected by the new Magecart campaign.
The skimmer itself is not unique and is designed to steal data from payment forms. It can gather various information, including names, email addresses, telephone numbers, hotel room preferences, and credit card details. The researchers also noted that this Magecart-related attack removes any credit card information input into a booking page and replaces it with version created by the attackers. According to Trend Micro, there are two possible explanations for this – one being that some hotels will not ask for a CVV/CVC security code until their customers arrive. In such cases, the booking form will ask for credit card information but without the CVC number, so by replacing the original form by the fake one the attackers ensure that they have this important data.
The second possible reason could be that in some cases booking pages host payment information in a different domain using HTML iframes to make it more secure.
“In this scenario, a regular JavaScript skimmer will not be able to copy the data inside the secure iframe. Therefore, the attacker removes the iframe of the secured credit card form and injects his own form so the skimmer can copy the information,” Trend Micro said.
In addition, the malicious script checks which language the customer is using for the website - English, Spanish, Italian, French, German, Portuguese, Russian, or Dutch – and injects the corresponding fake credit card form into the page.
The researchers were not able to find any evidence of involvement of this particular threat actor in previous Magecart campaigns, but they said “it’s possible”.
