Magecart strikes again: hotel booking websites come under fire

Card-skimmers may have impacted close to 200 hotel properties and their customers.
Written by Charlie Osborne, Contributing Writer

A fresh wave of Magecart-linked attacks is taking place with the hotel booking websites becoming the latest victims. 

Earlier this week, cybersecurity firm Trend Micro said that in early September, two hotel booking websites -- owned by separate chains -- were being injected with a JavaScript-based card-skimmer.

If the script was accessed remotely through a standard browser on a PC, loaded JavaScript was not malicious. 

However, if requested from a mobile device such as an Android or iOS handset, the "same link could also download a different script," the team says, which is, in fact, a credit card skimmer. 

The injected code, which would appear on the payment page of the hotel websites, appears to have been active since August 9. Payment card details input by unwitting victims are harvested and sent to a remote server controlled by attackers. 

Trend Micro says the impacted websites did not host the code themselves, but rather it was found in scripts provided by the developer of the domains, Roomleader. 

Specifically, a JavaScript library called by Roomleader client websites uses a module called "viewedHotels." The module is intended to be a way for saving viewed hotel information to visitor browser cookies but is, instead, serving malware.  

Trend Micro says that while the number of websites affected is small, it is still significant considering one brand caters for 107 hotels, while the other supports 73 hotels. These establishments are located in a total of 28 countries. 

The skimmer itself is generic and copies data including names, email addresses, telephone numbers, and payment card details. However, an interesting element is the fact this Magecart-related attack removes any credit card information input into a booking page and replaces it with another, crafted version. 

See also: Old Magecart web domains resurrected for fraudulent ad schemes

According to the team, there are two reasons for this which are most likely -- the first being that some hotels will not ask for a CVV/CVC security code until they arrive, and so by replacing the form, the threat actors can also attempt to secure this key data. 

Secondly, it may be due to booking pages that host payment information in a different domain using HTML iframes in a bid to aid security. 

"In this scenario, a regular JavaScript skimmer will not be able to copy the data inside the secure iframe," Trend Micro says. "Therefore, the attacker removes the iframe of the secured credit card form and injects his own form so the skimmer can copy the information."

The injected code will check to see which language is in use -- such as English, Spanish, or French -- and will add a corresponding malicious credit card form. 

CNET: The pivot to privacy could come with a $100 million grant

It is not known how many individuals may have been impacted. Trend Micro says that it is also difficult to determine whether or not this threat group has been involved in previous Magecart campaigns due to a lack of evidence provided by network infrastructure or code, but added that it is certainly "possible." 

In the past, Magecart groups have been connected with card-skimmer attacks taking place against companies including Ticketmaster, Newegg, and British Airways

Researchers from RiskIQ recently documented a new trend related to Magecart -- the purchase of old, sinkholed domains for new malvertising schemes

TechRepublic: How to handle the public disclosure of bugs and security vulnerabilities

These domains are used to host malicious scripts called by infected websites, as well as to facilitate the theft of data. According to the researchers, once a domain has been recognized, sinkholed, and cut out of the attack chain, fraudsters wait until they also expire and are returned to the market by registrars. 

Once this occurs, these domains are purchased and the old JavaScript-based call routes are replaced not with card-skimming malware, but pages with advertisements -- which suggests those behind this 'secondary market' are attempting to cash-in on fraudulent advertising. 

ZDNet has reached out to Roomleader and will update if we hear back. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards