A fresh wave of Magecart-linked attacks is taking place with the hotel booking websites becoming the latest victims.
However, if requested from a mobile device such as an Android or iOS handset, the "same link could also download a different script," the team says, which is, in fact, a credit card skimmer.
The injected code, which would appear on the payment page of the hotel websites, appears to have been active since August 9. Payment card details input by unwitting victims are harvested and sent to a remote server controlled by attackers.
Trend Micro says the impacted websites did not host the code themselves, but rather it was found in scripts provided by the developer of the domains, Roomleader.
Trend Micro says that while the number of websites affected is small, it is still significant considering one brand caters for 107 hotels, while the other supports 73 hotels. These establishments are located in a total of 28 countries.
The skimmer itself is generic and copies data including names, email addresses, telephone numbers, and payment card details. However, an interesting element is the fact this Magecart-related attack removes any credit card information input into a booking page and replaces it with another, crafted version.
According to the team, there are two reasons for this which are most likely -- the first being that some hotels will not ask for a CVV/CVC security code until they arrive, and so by replacing the form, the threat actors can also attempt to secure this key data.
Secondly, it may be due to booking pages that host payment information in a different domain using HTML iframes in a bid to aid security.
The injected code will check to see which language is in use -- such as English, Spanish, or French -- and will add a corresponding malicious credit card form.
It is not known how many individuals may have been impacted. Trend Micro says that it is also difficult to determine whether or not this threat group has been involved in previous Magecart campaigns due to a lack of evidence provided by network infrastructure or code, but added that it is certainly "possible."
Researchers from RiskIQ recently documented a new trend related to Magecart -- the purchase of old, sinkholed domains for new malvertising schemes.
These domains are used to host malicious scripts called by infected websites, as well as to facilitate the theft of data. According to the researchers, once a domain has been recognized, sinkholed, and cut out of the attack chain, fraudsters wait until they also expire and are returned to the market by registrars.
ZDNet has reached out to Roomleader and will update if we hear back.
Previous and related coverage
- MyPillow and Amerisleep wake up to Magecart card theft nightmare
- How Magecart groups are stealing your card details from online stores
- New Magecart attacks leverage misconfigured S3 buckets to infect over 17K sites
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0