A series of incidents involving the Magecart card-skimming attack has been noticed recently. The cyber crooks are now targeting mobile users of two hotel chain websites to steal payment card details along with other sensitive information. The hotel chains in question are spread across 14 countries, with one having 107 hotels and the other having 73 hotels.
What is the issue?
How was the attack executed?
Trend Micro noted that the affected hotel websites were developed by a Spain-based company named Roomleader. It helps hotels build their online booking websites.
“The injected code first checks if an HTML element containing the ID ‘customerBookingForm’ is present on the webpage to make sure it is running on the hotel’s booking page. If the injected code is found to not be running on the page, it will go to sleep for one second and check repeatedly thereafter,” explained researchers.
What is the purpose of the skimmer?
The credit card skimmer is designed to steal data from payment forms. However, in this case, the gathered information includes:
The stolen data are then sent via HTTP POST to the remote URL “https[:]//googletrackmanager[.]com/gtm.php?id=”. Upon receipt of the information, the attacker then decrypts the data and collects the credit card information.
An interesting aspect of the attack
Although this skimmer attack process is not unique, it is found that the original credit card forms on the booking page were replaced with a fake one. To make it appear legitimate, the attackers had also prepared the forms in eight languages that are supported by the targeted hotel websites. The languages were English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.
It is unclear if Magecart groups are involved in the attacks. However, researchers believe that the threat actors behind this campaign were also involved in previous campaigns.